Importing SSL Certificate to Java

Question

I am trying to invoke an method from a JAR library which calls an web service. When I call the required method, I am getting the below error.

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

I have a valid SSL certificate file(ssl_file.pfx) and a password. When I Google, all results were asking to use Keytool to add the certificate to cacert.

when I tried the below command, I am getting "Input not an X.509 certificate" message.

keytool -import -file ssl_file.pfx -alias somealias -keystore keystore_file -storepass changeit

NOTE: I don't have admin access for the JRE /lib/security/cacerts file/folder.

How can I resolve this? Is there any other option to do this via program?

Answer 1

PFX files are not certificates (assuming you're using the usual extension correctly), they're PKCS#12 stores, containing both certificates a private keys.

keytool can treat such files as PKCS12 keystores, so you can export your certificate (without its private key) using:

keytool -exportcert -file cert.crt -keystore ssl_file.pfx -storetype PKCS12 -alias ...

(First use -list instead of -exportcert if you don't know the existing alias name.)

Then, import that certificate:

keytool -importcert -file cert.crt -alias somealias -keystore keystore_file ...

This being said, unless it's a self-signed certificate, you should generally not do any of this, rather import the CA certificate in your truststore.