Adding Root Certificates to the Java Keystore

10 Sep

An external party switched from certificate supplier leaving some people within our organization with a little headache. There SMS service wasn’t working anymore and they couldn’t figure out what the issue was. In the logfile they found the following error (I’ll include the whole log for indexing): unable to find valid certification path to requested target.

net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
                at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
                at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
                at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
                at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
                at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
                at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
                at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
                at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
                at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
                at java.io.BufferedOutputStream.flush(Unknown Source)
                at java.io.FilterOutputStream.flush(Unknown Source)
                at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:146)
                at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
                at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
                at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
                at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
                at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
                at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
                at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
                at programs.SMSSendWebService.callCorporateMobile(SMSSendWebService.java:189)
                at programs.SMSSendWebService.smsSend(SMSSendWebService.java:76)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                at java.lang.reflect.Method.invoke(Unknown Source)
                at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:382)
                at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:279)
                at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:319)
                at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
                at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
                at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
                at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:455)
                at org.apache.axis.server.AxisServer.invoke(AxisServer.java:285)
                at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:637)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
                at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:301)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
                at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
                at sun.security.validator.Validator.validate(Unknown Source)
                at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
                at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
                at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
                … 49 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
                at java.security.cert.CertPathBuilder.build(Unknown Source)
                … 55 more
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution:

The Root CA Certificate and Intermediate CA Certificate needed to be added to the Java Keystore as trusted certificates. For extracting the certificates from a website please refer to the following articles. Procedure for Windows (just use the first part only). Procedure for MAC.

When you have extracted the Root and Intermediate CA Certs you need to import them in Java cacerts keystore. This is a file on your Windows system that can be found with the c:\dir /s *cacerts* command. It will be in your <<java_home>>\lib\security folder. In our case the location is: c:\program files\java\jre1.6.0_07\lib\security\cacerts . The commands you need for importing the root and intermediate CA certificate are:

Root:

"c:\program files\java\jre1.6.0_07\bin\keytool.exe” -import -trustcacerts -alias root -file <<path_to>>\root.cer -keystore "c:\program files\java\jre1.6.0_07\lib\security\cacerts”

Intermediate:

"c:\program files\java\jre1.6.0_07\bin\keytool.exe” -import -trustcacerts –alias rootca -file <<path_to>>\intermediate.cer -keystore "c:\program files\java\jre1.6.0_07\lib\security\cacerts"

You will be asked for the password of the keystore. If you didn’t change the default password it is: changeit . Ofcourse it’s a good idea to change it, so the command to do so:

"c:\program files\java\jre1.6.0_07\bin\keytool.exe" -storepasswd -keystore "c:\program files\java\jre1.6.0_07\lib\security\cacerts"

Categories:

PKI (Certificates)

Comments

Leave a Reply