## Why does my Java client get a \'PKIX path building failed\' error when accessing an HTTPS web service?

PKIX Path Building Failed: Unable to Find Valid Certification Path to Requested Target

Question:

When attempting to access a particular HTTPS web service using a Java client, the following exception is encountered:

java.lang.RuntimeException: PKIX path building failed: unable to find valid certification path to requested target

Answer:

This exception indicates that the Java client is unable to establish a secure connection with the web service due to an issue with the certificate chain presented by the server.

Possible Solutions:

1. Configure Trust Store:

   The client might not have the necessary certificates installed in its trust store. To resolve this, set the system properties to specify the path to the trust store and its password:

   <code class="java">System.setProperty("javax.net.ssl.trustStore", "clientTrustStore.key");
   System.setProperty("javax.net.ssl.trustStorePassword", "password");</code>

2. Import Server Certificate:

   If the client's trust store doesn't contain the server's certificate, manually import it. Follow these steps:

   • Export the server's certificate in PEM format (e.g., certificate.crt) using a tool like openssl.

   • Convert the PEM file to a binary X.509 certificate file (e.g., certificate.der):

     <code class="shell">openssl x509 -in certificate.pem -out certificate.der -outform DER</code>

   • Import the DER file into the client's trust store using the keytool utility:

     <code class="shell">keytool -import -alias server_cert -file certificate.der -keystore clientTrustStore.key</code>

3. Update Java SSL Configuration:

   Ensure that the Java SSL configuration is set correctly. For example, by modifying ~/.java/jre/lib/security/jssecacerts or using the following command:

   <code class="shell">keytool -import -alias server_cert -file certificate.der -keystore cacerts</code>

4. Disable SSL Certificate Verification (Not Recommended):

   As a temporary measure, you can disable SSL certificate verification, but this is not recommended due to security concerns:

   <code class="java">HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);</code>

5. Obtain Different Certificate:

   If the web service requires a specific certificate, obtain that certificate and install it in the client's trust store.

The above is the detailed content of ## Why does my Java client get a \'PKIX path building failed\' error when accessing an HTTPS web service?. For more information, please follow other related articles on the PHP Chinese website!