All geek questions in one place

HTTPS client cannot connect - PKIX path is corrupt, but root certificate exists

I have an HTTP client in Java that I get an SSLHandshakeException with a message that the PKIX path [file_name] could not be created was unable to find a valid certification path for the requested target

I searched, but all the suggestions seem to be that the root CA is not in a power of attorney. Other than that ... I tried adding a root certificate to truststore and keytool said

"The certificate already exists in the CA system-wide keystore under the alias" with the alias name.

And I got a certificate to try this by going to the site that I am trying to use in the browser (Chrome, but no browser complains about any problems), and I exported the root certificate to the chain. Which I then tried to import with the results above (I interrupted the import at that time).

I am not sure how to fix this at the moment.

I note that the browser in the certificate chain shows the second certificate for the CA (so that the certificate is CA 1 โ†’ certificate of CA 2 โ†’ the target certificate), and I think I can try and import this one, but I feel like I'm shooting in the dark.

Is there anything else I am missing?

+4
source share
1 answer

For a certificate to be valid, you must have the full path from it to a trusted root certificate.

Typically, this is done by the server, delivering all the necessary certificates to the client. However, some web servers do not do this; instead, they provide only their own certificate.

It seems likely that you came across such an incorrectly configured server. Try importing the intermediate certificate into the local trust store so that the client can build the whole chain from the server certificate to the trusted root. Remember also the -trustcacerts option.

+1
source

Source: https://habr.com/ru/post/1395856/

More articles:


All Articles