Posts tagged jssecacerts
Had a small Issue with a few Java apps that I run. The apps connect to MS Exchange and download attachments from emails, send out emails, create calendar entries, etc.
The problem was that this past weekend I updated my Exchange certs to use my Microsoft Certificate Server Certs, which of course, is not part of the default “Trusted Root Cert keystore”, so I had to add it.
So in order to add your MS Root Cert, you need to (By the way, this will work with any other 3rd party CA certs)
- Point your browser to your root certificate server
- Click on the link “Download a CA certificate, certificate chain, or CRL”
- Download the CA cert (DER format is fine)
(I saved the CA certificate as “C:\certnew.cer”, remember the location because you will need it in for the import command)
- Open up a command windows and type the following command
C:\Java\jre1.5.0_06\bin\keytool.exe -import -keystore C:\Java\jre1.5.0_06\lib\security\cacerts -file “C:\certnew.cer”
When it prompts for a password, enter your keystore password (note that in this example im using the default password for java keystores which is “changeit”)
The output of the command should look like this
1234567891011C:\Java\jre1.5.0_06\bin\keytool.exe -import -keystore C:\Java\jre1.5.0_06\lib\security\cacerts -file "C:\certnew.cer" Enter keystore password: changeit (this is the default password for keystores) Owner: CN=Certs, DC=pinchii, DC=com Issuer:CN=Certs, DC=pinchii, DC=comSerial number: 7f0000000000000000000052f8702fa0Valid from: Wed Aug 04 10:39:12 EDT 2010until: Tue Aug 04 10:46:24 EDT 2020 Certificate fingerprints:MD5: 16:00:EC:00:6F:00:23:00:36:00:D1:00:8E:00:60:00SHA1: 1F:00:B4:00:38:00:BB:00:FB:00:0F:00:46:00:B1:00:41:00:9F:00Trust this certificate? [no]: yesCertificate was added to keystore
- Test out your java application now, you should be OK with certificates signed by your Microsoft Root Certificate Server from now on.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If you are here is because you got that error above and you are trying to figure out why, and how to solve it…
well, im here to help you get it solved fast so you can get back to whatever it is you were doing before you looked this up 🙂
- Get a copy of the .cer file, either right from the server you are trying to access, or by installing it to your machine then exporting it
- Get Portecle and Run it
- From Inside Portecle, click on “Open Keystore File”, find the cacert file for your Java installation (In my case it is C:\Program Files\Java\jre1.6.0_07\lib\security\cacerts)
- When prompted for a password, it will probably be one of the defaults, I used “changeit”
- Click on “Import Trusted Certificate”, find the .cer file from step 1, add it, agree to everything (specially if its a self signed cert)
- Hit the save button, and voila, your ssl’ing away
Note: If you have a jssecacerts file in your security folder, java will always look at the jssecacerts file first and Ignore your cacerts file, so you must get rid of the jssecacerts file before java will look at cacerts