Java SSL Certificate Verification with a proxy

Question

I have an Issue with the verification of a ssl certificate. What I am trying to do, is sending some data from a java program to a server, which then stores that data.

The issue is, that the ssl certificate validation fails with the following exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed [...] unable to find valid certification path to...

I am able to resolve this issue, by adding the "end-user" certificate of the server to the truststore I am using.

The chain looks something like this:

Root Certificate 1
Intermediate Cert 11
Intermediate Certificate x
End-User Certificate

Something to note about this whole chain / process: The communication is using the companies proxy, which replaces all the certificates, and creates its own chain.

So back to the issue: By adding the end-user certificate everything runs fine. But only for a little while, before that certificate gets refreshed and the one I added is no longer valid. I have tried adding just the root certificate, just each intermediate certificate, adding all 3 certificates and also adding the certificate which would be used if the proxy does not replace the chain. But somehow the certificate cannot be validated.

Is there something I might be overlooking? Do I have to add something else to be able to validate the certificate?

Edit: Maybe something to note: I checked the chain, by using the browser and navigating to said server, and then checking the ssl certificates.

Answer 1

This seemed to be an issue with the certificates provided by the company that replaced the certificate chain.

For some reason the chain was not completed, and I had to add all certificates in the chain to the truststore to make it work.