aspose file tools*
The moose likes Security and the fly likes Unable to find valid certification path to requested target Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Unable to find valid certification path to requested target" Watch "Unable to find valid certification path to requested target" New topic
Author

Unable to find valid certification path to requested target

Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Hi.

I have some server SSL certificates "installed" / "placed" on my Tomcat server to be able to call some external web services using HTTPS.

The Tomcat container is automatically restarted every night. Sometimes, not every day, which is strange, I get this error after a restart:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is how I install the certificates:
I just upload the certificates "Filename.crt" to the java security folder: "/usr/java/to/path/to/jre/security/Filename.crt"

Question 1:
Why does this error occour from time to time only and not every day?

Question 2:
What is the difference between putting the certificates in the folder "/usr/java/to/path/to/jre/security/" like I do versus importing the certificates to a keystore using Java Keytool, ie:
keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

Question 3:
I read that all root CA have to be imported into Java keystore: please see:
http://stackoverflow.com/questions/7205418/truststore-and-reocurring-unable-to-find-valid-certification-path-to-requested

Is that right?
I hope you can help give me some answers please?
Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 34
Are you saying that Tomcat restarts by itself every day? Or do you explcitly restart it for some reason?

Regardless, trusted CA certificates may be in one of many places: i) the cacerts file from JAVA_HOME/jre/lib/security; ii) application-specific keystore.jks files; or iii) any file of your choice.

When the CA cert is imported using keytool into cacerts, the certificate is trusted by ALL applications that use that JVM.

When the CA cert is imported using keytool into a specific keystore.jks file, the certificate is trusted by that specific application using that keystore; in your case, it would be the Tomcat application.

When the CA cert is imported using keytool into a filename of your choice, the certificate is NOT visible to anything unless you specify options on the command-line to Java that it should use the custom file with the CA cert in it.

As for the file stored as Filename.crt in the JAVA_HOME/jre/lib/security folder, it does nothing. Unless you've created some application or script that automatically imports files with a .crt extension into the cacerts file each time you restart. That might explain the bizarre behavior you're seeing.

Arshad Noor
StrongAuth, Inc.
Jeppe Sommer
Ranch Hand

Joined: Jan 07, 2004
Posts: 270
Yes Tomcat restarts itself every day.

I have created my own keystore called myCompany.jks. This keystore is located in: $JAVA_HOME/jre/lib/security/myCompany.jks.

I have imported all certificates into this keystore, both the CARoot and lowest certificates in the chain.

I use the keytool command:
keytool -import -trustcacerts -file CARoot.crt -alias CARoot -keystore $JAVA_HOME/jre/lib/security/myCompany

So from what you are saying:
When the CA cert is imported using keytool into a filename of your choice, the certificate is NOT visible to anything unless you specify options on the command-line to Java that it should use the custom file with the CA cert in it.

- the conclusion is, that I have to import the certificates into cacerts instead of using my own keystore called myCompany.jks?

What is strange is that it works sometimes, but only from time to time.

I have read that you can setup a connector in Tomcat /conf/server.xml configuration file, please see:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html

- but it didn't help either.


Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 34
- the conclusion is, that I have to import the certificates into cacerts instead of using my own keystore called myCompany.jks?


If you want it to consistently work without specifying any -D options for specific keystores/truststores, then yes, you should pull the trusted CA cert into the "cacerts" file. Alternatively, you can keep it in your custom file, but consistently specify the location of the keystore/truststore on the command-line that starts the JVM; see this thread for more: http://www.coderanch.com/t/561288/Security/javax-net-ssl-keyStore-javax.

Arshad Noor
StrongAuth, Inc.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Unable to find valid certification path to requested target
 
Similar Threads
Problem with java certificates unable to find valid certification path
client error: unable to find valid certification path to requested target
Default keystore(s) used for HTTPS?
Tomcat axis2 web service with HTTPS
What is Certificate and how to configure it in cacerts file...