Overview
A quick and easy way to eliminate javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target without making dangerous changes to your default trust store.
Steps
- Create a new keystore and associated key entry by executing the following command (N.B. The password values for the
-keypassand-storepassoptions must be identical for Tomcat to work):keytool -genkey -alias tomcat -keyalg RSA -keypass <password> -keystore <user-home>/tomcat.jks -storepass <password> - Enter and confirm your details.
- Uncomment the “SSL HTTP/1.1 Connector” entry in
$CATALINA_BASE/conf/server.xml. - Add
keystoreFileandkeystorePassattributes with the appropriate values. The result should now resemble the following:<!-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation --> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="${user.home}/tomcat.jks" keystorePass="<password>" clientAuth="false" sslProtocol="TLS" /> - Restart Tomcat and deploy your HTTPS constrained resources.
- Add a
@BeforeClassmethod to any tests generating HTTPS requests. Use this method to set thejavax.net.ssl.trustStoreandjavax.net.ssl.trustStorePasswordsystem properties. For example:@BeforeClass public static void setUp() { System.setProperty("javax.net.ssl.trustStore", "<user-home>/tomcat.jks"); System.setProperty("javax.net.ssl.trustStorePassword", "<password>"); } - JSSE now uses the new keystore created in steps 1 and 2 as opposed to the default,
<java-home>/jre/lib/security/cacerts, trust store.
Technical Musings 