Reputation: 6855
java raises an SSLHandshakeException even if the root certificate in the trust store
The following java code:
new URL("https://www.limagrain.com/").openStream()
raises the following error:
javax.net.ssl.SSLHandshakeException thrown: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
However, the root certificate used by this site (Thawte Primary Root CA - G3) is present in java's trust store, and the site displays without problems in browsers.
Checking the site on Qualys SSL checker gives a warning about an intermediate certificate marked as extra download.
How to make java download the intermediate certificates automatically ?
Upvotes: 5
Views: 8510
Answers (2)
Reputation: 6855
Solution
Set the system property com.sun.security.enableAIAcaIssuers to true.
System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
See Oracle's Java PKI guide: https://docs.oracle.com/javase/7/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppB.
Upvotes: 11
Reputation: 2007
As, You are using secure channel https. Only, root certificate is not enough. Either you would require to have Root and CA or complete certificate chain.
Part - I
Support for the Authority Information Access (AIA) Extension
Support for the caIssuers access method of the Authority Information Access extension is available. It is disabled by default for compatibility and can be enabled by setting the system property com.sun.security.enableAIAcaIssuers to the value true.
If set to true, Sun's PKIX implementation of CertPathBuilder uses the information in a certificate's AIA extension (in addition to CertStores that are specified) to find the issuing CA certificate, provided it is a URI of type ldap, http, or ftp.
Note: Depending on your network and firewall setup, it may be necessary to also configure your networking proxy servers as described in the [networking documentation(http://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html).
Part - II
Below are steps how to import certificate chain in java certs manually
- Open https://www.limagrain.com/ in Google chrome then Press F12.
- Select Security Tab ad Select certificate Path as highlighted.
- Go to details tab and click on Export to file. Select Base 64 encoded type.
- Give the certification filename and Click on Next and Next.
Open the certificate and see if certificate chain is exported properly.
GO to %JAVA_HOME%/jre/lib/security in command.exe
Import Certificate chain using below command.
keytool -importcert -file limagrain.cer -alias limagrain -keystore cacerts -storepass changeit
NOTE: make sure certificate path is correct.
- Accept the certificate in cecerts by writing "yes".
Upvotes: 3
Related Questions
- java SSLHandshakeException although certificate trusted sytem-wide
- SSLHandshakeException: null cert chain
- Java7 Refusing to trust certificate in trust store
- SSLHandshakeException with valid certificate on Tomcat server
- Java SSLHandshakeException with self-signed certificate
- SSLHandshakeException while connecting to HTTPS from java code
- Accepting certificates in Java
- Java SSLHandshakeException on one server but not another?
- java SSLHandshakeException General SSLEngine
- How to resolve the SSLHandshake Exception?