How to add CA certificate to cacerts store so that it works as expected?

Question

UPDATE: After I have found a solution, I edited the question to be more clear for future reference.

I've got a corporate (ie not well known) CA certificate from a company which provides us a web services to be called from Java. I added this CA certificate to default cacerts trust store (keytool -import -file cert.cer -alias myca -keystore jre/lib/security/cacerts), but connection to the service still fails with the dreaded "PKIX path building failed" message. I have checked that issuer field of the end server certificate is the same as in the CA certificate and also validity dates is ok.

I don't know how to explain this. I can think of the following reasons but I don't know which one is true:

1. I have noticed that when I add also the end server certificate to trust store, the connection is OK. Maybe cacerts by design don't work as I expect (ie all the certificates signed by an authority added there are considered valid), but instead I have to add all the end server certificates to a trust store including CA certificate of their issuer.
2. I have to add CA certificate in some other way - by different command, to different file etc.
3. Maybe the CA certificate is not correct and keytool refuses to consider it a certificate authority.
4. Maybe PKIX path building fails for other reason.

How can I debug this problem more to find an answer?

Details:

• The end server certificate is wildcard certificate
• There is no intermediate certificate, just root and the end certificate

Answer 1

Thanks to @pedrofb comment I found out that the reason PKIX path fails is simply that the CA certificate I got is not the CA that signed the end certificate. What made it so complicated is the monstrous incompetence of company that gave me the CA certificate which obviously has two CAs with almost the same description (cn, o, st, c) which differs only in SN and which both issued the same wildcard certificate. Only after I became super paranoid and compared the SNs, I understood the problem.

Answer 2

I was facing the same problem with "PKIX path building failed" with Let's Encrypt signed certificates at a time Java didn't incorporate the Let's encrypt CA certificate in its default trust store.

My story is written in detail here: http://blog.novoj.net/2016/02/29/how-to-make-apache-httpclient-trust-lets-encrypt-certificate-authority/

At the end I was able to make Java trust "the end of the chain" server certificate by creating internal trust store embedded in my application that contains only root CA certificate (and the backup one).

I much more prefer creating internal application truststore than importing certificate in main Java trust store for two reasons:

• you don't need another extra step in install procedure for initializing the global trust store
• you limit "the trust" to you application and don't affect another applications running on the same JVM (or better you can even limit the trust to the certain instances of client objects in your application if required)

Maybe I had a different scenario than you're facing, so downvote me if I didn't get the point.

Answer 3

The trust store needs to contain the root certificate (the CA's cert).

I'm not sure if that's what you mean by "the last one I'm the chain", but the CA certificate should be the last one in the certificate chain presented by the server.

If your certificate is signed by a well-known CA, then the CA cert should be in the trust store, and if the server's certificate chain is set up properly, everything should just work.

If yours is a self-signed certificate, then the root certificate will not be in the trust store, and you will have to add it.