I need to be able to use our private PKI CA to authenticate with a Java application. Specifically, I need to be able to securely send email through our smart hub originating on a host running iDempiere.
I am testing this using the SSLPoke class.
JAVA_VERSION="11" java SSLPoke mx32.harte-lyne.ca 465
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My research indicates that this error is commonly encountered when the CA certificate for the destination host certificate is not found in the lib/security/cacerts file.
I have added our private CA certs [hll] to cacerts and verified that they are present:
JAVA_VERSION="11" keytool -list -rfc -cacerts > cacerts.txt
grep 'Alias' cacerts.txt
. . .
lias name: godaddyclass2ca [jdk]
Alias name: godaddyrootg2ca [jdk]
Alias name: hartelyneissuer2016 [hll]
Alias name: hartelyneroot2016 [hll]
Alias name: identrustcommercial [jdk]
Alias name: identrustdstx3 [jdk]
. . .
And yet, when I test this using the SSLPoke class I get this error:
JAVA_VERSION="11" java SSLPoke mx32.harte-lyne.ca 465
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
What else is required to get our CA certs to be recognised by Java?