PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
PKIX Path Building Failed - No CA Certificate
This section provides a tutorial example on how to use the 'java -Djavax.net.ssl.trustStore' to override the default trusted KeyStore and how to demonstrate a 'PKIX path building failed - unable to find valid certification path to requested target' error.
Following previous tests on https://login.yahoo.com, I want prove that Java is verifying yahoo's certificate against its root CA certificate. Here is what I did:
1. Identify the root CA of login.yahoo.com - This can be done by using Firefox to view the certificate path on https://login.yahoo.com. See the Firefox chapter for detailed steps.
GTE CyberTrust Global Root - The root CA certificate |- DigiCert High Assurance EV Root CA - An intermediate CA certificate |- DigiCert High Assurance CA-3 - An intermediate CA certificate |- login.yahoo.com - The Web server certificate
2. Identify the root CA certificate in the KeyStore file - It is not that hard to identify the certificate alias name for "GTE CyberTrust Global Root" certificate in the KeyStore file. By looking at the output of the "keytool -list" command listed in the previous section, I can see that the alias name for "GTE CyberTrust Global Root" certificate is "gtecybertrustglobalca".
3. Delete the root CA certificate from the KeyStore File - See commands below:
herong> copy cacerts_original cacerts_no_gte 1 file(s) copied. herong> keytool -delete -alias gtecybertrustglobalca \ -keystore cacerts_no_gte -storepass changeit
4. Run the test with the new KeyStore File:
herong> java -Djavax.net.ssl.trustStore=cacerts_no_gte \ HttpsUrlReader https://login.yahoo.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.o... <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in to Yahoo!</title>
It is still working! Do you know why? It is because the intermediate CA certificate "DigiCert High Assurance EV Root CA" is still the trusted KeyStore file listed as alias "digicerthighassuranceevrootca".
4. Delete the intermediate CA certificate and test it again:
herong> copy cacerts_no_gte cacerts_no_gte_digicert 1 file(s) copied. herong> keytool -delete \ -alias digicerthighassuranceevrootca \ -keystore cacerts_no_gte_digicert -storepass changeit \ herong> java -Djavax.net.ssl.trustStore=cacerts_no_gte_digicert \ HttpsUrlReader https://login.yahoo.com javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Ale... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSoc... at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handsha... at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handsha... at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCer... at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMe... at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Han... at com.sun.net.ssl.internal.ssl.Handshaker.process_record(... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(S... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performIniti... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandsha... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandsha... at sun.net.www.protocol.https.HttpsClient.afterConnect(Htt... at un.net.www.protocol.https.AbstractDelegateHttpsURLConne... at sun.net.www.protocol.http.HttpURLConnection.getInputStr... at sun.net.www.protocol.https.HttpsURLConnectionImpl.getIn... at java.net.URL.openStream(URL.java:1010) at HttpsUrlReader.main(HttpsUrlReader.java:11) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValida... at sun.security.validator.PKIXValidator.engineValidate(PKI... at sun.security.validator.Validator.validate(Validator.jav... at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.valid... at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.check... at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.check... at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCer... ... 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engin... at java.security.cert.CertPathBuilder.build(CertPathBuilde... at sun.security.validator.PKIXValidator.doBuild(PKIXValida... ... 19 more
This is what I was expecting. The "SSLHandshakeException" with a clear error message: "unable to find valid certification path to requested target" tells us that JSSE failed to validate "login.yahoo.com" certificate.
Conclusion:
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
►Java Programs Communicating with HTTPS Servers
Java Secure Socket Extension (JSSE)
Using openStream() Method in java.net.URL Class
javax.net.ssl.trustStore System Property
Default Trusted KeyStore File - cacerts
►PKIX Path Building Failed - No CA Certificate
Using openConnection() Method in java.net.URL Class
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3