1

I need to connect to a URL over HTTPS using Java. I don't have any experience with SSL certificates, and most of the questions here assume some basic knowledge. I was hoping someone here could get me started on the basics.

When I put the URL in my browser, it connects just fine. When I do it using Java:

new URL("https://mysite.com/").openStream()

it throws javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This question shows how to ignore the whole certificate thing, but that doesn't feel right. I simply want to use the same certificate my browser does.

I've already tried adding the -Djavax.net.ssl.trustStore=cacerts property, which changes the exception to javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty, which I've taken from this question to mean it can't find the trust store called cacerts. I'm not sure what else to specify, though.

Improve this question
3
  • It seems that mysite.com uses self-signed certificate, or so. Have you imported the certificate that mysite.com offers to cacerts? Commented Jan 31, 2014 at 10:42
  • I haven't added anything manually. I figure since my browser can find the certificate, Java should be able somehow too, I just have to tell it where to look. Commented Jan 31, 2014 at 10:44
  • you need to use the keytool command that comes with the jvm to import the server certificate (and most probably the root CA that signed it) in your keystore. cacerts is the default CAs store shipped with the jvm Commented Jan 31, 2014 at 10:44

1 Answer 1

Reset to default
1

Many sites use self-signed certificates for ssl. You should add them to your JRE's cacerts file. In such cases I use following steps:

  1. Go to https://mysite.com with your browser
  2. Save its certificate to your local machine
  3. Import it to your cacerts with keytool command. The command line looks like this: keytool -import -alias mysite -file mysite.cer -keystore {path/to/cacerts}

As an alternative, you can use openssl s_client utility to retreive mysite.com certificate.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks, this worked like a charm! I created a new keystore instead of using cacerts, since I'm not sure what password it wanted, but that's a minor detail. So, if I understand correctly, my browser automatically detects the site has a so called self-signed certificate and imports it automatically, but I have to find and import it manually in order for Java to recognize that.
Default password for JRE's cacerts is changeit
Yes, browsers can detect that certificate is self-signed, or so. Usually, they show a warning like this: The site's security certificate is not trusted in such cases.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.