Java InstallCert: Resolution for PKIX Path Building Failed Error
The sun.security.validator.ValidatorException: PKIX path building failed error occurs when a Java application attempts to connect to a website or web service over HTTPS, but the website’s SSL/TLS certificate is not trusted by the Java Runtime Environment (JRE) [1].
Java maintains its own isolated truststore of certificate authorities (CAs), separate from your operating system or browser. If a server uses a self-signed certificate, a private company CA, or a newer public CA missing from Java’s default cacerts file, the connection fails.
InstallCert is a classic, open-source Java utility designed to resolve this issue by automatically connecting to the target server, fetching its certificate chain, and injecting it directly into your local Java truststore. Prerequisites Before Running InstallCert
To resolve this error, you need the following configuration on your local machine:
Java Development Kit (JDK): Ensure a JDK is installed and configured in your environment path.
Administrator Privileges: Modifying the Java truststore requires administrative access on Windows (Run as Administrator) or root privileges on Linux/macOS (sudo). Step-by-Step Guide to Using InstallCert Step 1: Obtain the InstallCert Source Code
Since InstallCert is not bundled natively with Java, you must compile it yourself. Create a file named InstallCert.java.
Copy and paste the standard open-source InstallCert code into it. (Reliable versions can be found on public repositories like GitHub under esvit/java-installcert). Step 2: Compile the Java Class
Open your terminal or command prompt in the directory containing InstallCert.java and compile it using the Java compiler: javac InstallCert.java Use code with caution.
This command generates two files in your directory: InstallCert.class and InstallCert$SavingTrustManager.class. Step 3: Execute InstallCert against the Target Host
Run the program by specifying the hostname (and optional port) of the server causing the PKIX error. If no port is specified, it defaults to 443. java InstallCert your-secure-api-domain.com:443 Use code with caution. Step 4: Select and Save the Certificate
The program will attempt to open a handshake with the target server.
It will display the certificate chain and output an error indicating that the chain is not trusted.
It will prompt you: Enter certificate to add to trusted keystore or ‘q’ to quit: [1].
Review the chain. Type 1 (or the appropriate number of the primary certificate) and press Enter.
The utility will add the certificate to a local keystore file named jssecacerts in your current working directory. Step 5: Apply the Keystore to your JRE/JDK
For your Java applications to stop throwing the PKIX error, Java must recognize the new certificate. You have two options to apply this change:
Option A: Replace the Default cacerts File (Recommended Global Fix)
Copy the newly generated jssecacerts file into your Java installation directory, renaming it to replace the original cacerts file.
Windows Target Directory:C:\Program Files\Java\jdk-xx\lib\security</code> (or \jre\lib\security</code> on older Java versions)
Linux / macOS Target Directory:/usr/lib/jvm/java-xx-openjdk/lib/security/ Example Command (Linux/macOS):
sudo cp jssecacerts /usr/lib/jvm/java-17-openjdk/lib/security/cacerts Use code with caution.
Option B: Pass the Keystore via JVM Arguments (Application Specific)
If you prefer not to modify the global Java installation, you can force your specific application to read your new file by passing system properties at runtime:
java -Djavax.net.ssl.trustStore=/path/to/jssecacerts -Djavax.net.ssl.trustStorePassword=changeit -jar your-app.jar Use code with caution. Security Considerations
While InstallCert provides an immediate fix for development and internal enterprise issues, keep the following security practices in mind:
Verify the Fingerprint: When InstallCert fetches the certificate, cross-reference the displayed SHA-1 or SHA-256 fingerprint with a trusted browser connection to ensure you are not victims of a Man-in-the-Middle (MitM) attack.
Default Password: The default password for Java’s cacerts truststore is changeit. If your organization modifies this password, InstallCert will fail to write to the file unless you modify the password string inside the InstallCert.java source code before compiling.
Production Environments: Avoid using InstallCert directly in production pipelines. Instead, use official certificate management tools (keytool) to import certificates that have been vetted and securely delivered by your infrastructure team. To make sure this fixes your issue, let me know: What Java version are you running?
Leave a Reply