PKIX Path Building Failed - No CA Certificate

This section provides a tutorial example on how to use the 'java -Djavax.net.ssl.trustStore' to override the default trusted KeyStore and how to demonstrate a 'PKIX path building failed - unable to find valid certification path to requested target' error.

Following previous tests on https://login.yahoo.com, I want prove that Java is verifying yahoo's certificate against its root CA certificate. Here is what I did:

1. Identify the root CA of login.yahoo.com - This can be done by using Firefox to view the certificate path on https://login.yahoo.com. See the Firefox chapter for detailed steps.

GTE CyberTrust Global Root              - The root CA certificate
 |- DigiCert High Assurance EV Root CA  - An intermediate CA certificate
     |- DigiCert High Assurance CA-3    - An intermediate CA certificate
         |- login.yahoo.com             - The Web server certificate

2. Identify the root CA certificate in the KeyStore file - It is not that hard to identify the certificate alias name for "GTE CyberTrust Global Root" certificate in the KeyStore file. By looking at the output of the "keytool -list" command listed in the previous section, I can see that the alias name for "GTE CyberTrust Global Root" certificate is "gtecybertrustglobalca".

3. Delete the root CA certificate from the KeyStore File - See commands below:

herong> copy cacerts_original cacerts_no_gte
        1 file(s) copied.

herong> keytool -delete -alias gtecybertrustglobalca \
   -keystore cacerts_no_gte -storepass changeit

4. Run the test with the new KeyStore File:

herong> java -Djavax.net.ssl.trustStore=cacerts_no_gte \
   HttpsUrlReader https://login.yahoo.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.o...
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Sign in to Yahoo!</title>

It is still working! Do you know why? It is because the intermediate CA certificate "DigiCert High Assurance EV Root CA" is still the trusted KeyStore file listed as alias "digicerthighassuranceevrootca".

4. Delete the intermediate CA certificate and test it again:

herong> copy cacerts_no_gte cacerts_no_gte_digicert
        1 file(s) copied.

herong> keytool -delete \
   -alias digicerthighassuranceevrootca \
   -keystore cacerts_no_gte_digicert -storepass changeit \

herong> java -Djavax.net.ssl.trustStore=cacerts_no_gte_digicert \
   HttpsUrlReader https://login.yahoo.com

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Ale...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSoc...
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handsha...
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handsha...
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCer...
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMe...
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Han...
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(S...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performIniti...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandsha...
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandsha...
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Htt...
        at un.net.www.protocol.https.AbstractDelegateHttpsURLConne...
        at sun.net.www.protocol.http.HttpURLConnection.getInputStr...
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getIn...
        at java.net.URL.openStream(URL.java:1010)
        at HttpsUrlReader.main(HttpsUrlReader.java:11)

Caused by:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValida...
        at sun.security.validator.PKIXValidator.engineValidate(PKI...
        at sun.security.validator.Validator.validate(Validator.jav...
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.valid...
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.check...
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.check...
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCer...
        ... 13 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException
unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engin...
        at java.security.cert.CertPathBuilder.build(CertPathBuilde...
        at sun.security.validator.PKIXValidator.doBuild(PKIXValida...
        ... 19 more

This is what I was expecting. The "SSLHandshakeException" with a clear error message: "unable to find valid certification path to requested target" tells us that JSSE failed to validate "login.yahoo.com" certificate.

Conclusion:

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 HTTPS with Microsoft Edge

 Using HTTPS with Apple Safari

 HTTPS with IE (Internet Explorer)

 Android and Server Certificate

 iPhone and Server Certificate

 Windows Certificate Stores and Console

 RDP (Remote Desktop Protocol) and Server Certificate

 macOS Certificate Stores and Keychain Access

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

Java Programs Communicating with HTTPS Servers

 Java Secure Socket Extension (JSSE)

 Using openStream() Method in java.net.URL Class

 javax.net.ssl.trustStore System Property

 Default Trusted KeyStore File - cacerts

PKIX Path Building Failed - No CA Certificate

 Using openConnection() Method in java.net.URL Class

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Archived Tutorials

 References

 Full Version in PDF/EPUB