PKI Tutorials - Herong's Tutorial Examples
Dr. Herong Yang, Version 2.00

PKIX Path Building Failed - No CA Certificate

This section provides a tutorial example on how to use the 'java -Djavax.net.ssl.trustStore' to override the default strusted KeyStore and how to demonstrate a 'PKIX path building failed - unable to find valid certification path to requested target' error.

Following previous tests on https://login.yahoo.com, I want prove that Java is verifying yahoo's certificate against its root CA certificate. Here is what I did:

1. Identify the root CA of login.yahoo.com - This can be done by using Firefox to view the certificate path on https://login.yahoo.com. See the Firefox chapter for detailed steps.

GTE CyberTrust Global Root            - The root CA certificate
|- DigiCert High Assurance EV Root CA - An intermediate CA certificate
   |- DigiCert High Assurance CA-3    - An intermediate CA certificate
      |- login.yahoo.com              - The Web server certificate

2. Identify the root CA certificate in the KeyStore file - It is not that hard to identify the certificate alias name for "GTE CyberTrust Global Root" certificate in the KeyStore file. By looking at the output of the "keytool -list" command listed in the previous section, I can see that the alias name for "GTE CyberTrust Global Root" certificate is "gtecybertrustglobalca".

3. Delete the root CA certificate from the KeyStore File - See commands below:

C:\herong>copy cacerts_original cacerts_no_gte
        1 file(s) copied.

C:\herong>\local\jdk\bin\keytool -delete -alias gtecybertrustglobalca
   -keystore cacerts_no_gte -storepass changeit

4. Run the test with the new KeyStore File:

C:\herong>\local\jdk\bin\java 
   -Djavax.net.ssl.trustStore=cacerts_no_gte 
   HttpsUrlReader https://login.yahoo.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.o...
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Sign in to Yahoo!</title>

It is still working! Do you know why? It is because the intermediate CA certificate "DigiCert High Assurance EV Root CA" is still the trusted KeyStore file listed as alias "digicerthighassuranceevrootca".

4. Delete the intermediate CA certificate and test it again:

C:\herong>copy cacerts_no_gte cacerts_no_gte_digicert
        1 file(s) copied.

C:\herong>\local\jdk\bin\keytool -delete 
   -alias digicerthighassuranceevrootca 
   -keystore cacerts_no_gte_digicert -storepass changeit

C:\herong>\local\jdk\bin\java                                        
   -Djavax.net.ssl.trustStore=cacerts_no_gte_digicert                
   HttpsUrlReader https://login.yahoo.com                            
                                                      
javax.net.ssl.SSLHandshakeException:                                 
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:          
unable to find valid certification path to requested target          
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Ale...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSoc...
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handsha...
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handsha...
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCer...
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMe...
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Han...
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(S...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performIniti...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandsha...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandsha...
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Htt...
        at un.net.www.protocol.https.AbstractDelegateHttpsURLConne...
        at sun.net.www.protocol.http.HttpURLConnection.getInputStr...
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getIn...
        at java.net.URL.openStream(URL.java:1010)                    
        at HttpsUrlReader.main(HttpsUrlReader.java:11)               
                                                      
Caused by: 
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:          
unable to find valid certification path to requested target          
        at sun.security.validator.PKIXValidator.doBuild(PKIXValida...
        at sun.security.validator.PKIXValidator.engineValidate(PKI...
        at sun.security.validator.Validator.validate(Validator.jav...
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.valid...
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.check...
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.check...
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCer...
        ... 13 more                                                  
                                                      
Caused by: sun.security.provider.certpath.SunCertPathBuilderException
unable to find valid certification path to requested target          
        at sun.security.provider.certpath.SunCertPathBuilder.engin...
        at java.security.cert.CertPathBuilder.build(CertPathBuilde...
        at sun.security.validator.PKIXValidator.doBuild(PKIXValida...
        ... 19 more

This is what I was expecting. The "SSLHandshakeException" with a clear error message: "unable to find valid certification path to requested target" tells us that JSSE failed to validate "login.yahoo.com" certificate.

Conclusion:

  • Java with JSSE validates server certificate by default.
  • JSSE uses the default "cacerts" KeyStore file for trusted root CA and intermediate CA certificates.
  • You can override the trusted certificate KeyStore file by using the system property: javax.net.ssl.trustStore.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 8

 Using HTTPS with Firefox 3

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

Java Programs Communicating with HTTPS Servers

 Java Secure Socket Extension (JSSE)

 Using openStream() Method in java.net.URL Class

 javax.net.ssl.trustStore System Property

 Default Trusted KeyStore File - cacerts

PKIX Path Building Failed - No CA Certificate

 Using openConnection() Method in java.net.URL Class

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 References

 Printable Copy - PDF Version

Dr. Herong Yang, updated in 2011
PKIX Path Building Failed - No CA Certificate