Java SSL

If the root CA certificate of the https URL is not available in Java trust store following exception is thrown in Java. PKIX path building failed: unable to find valid certification path to requested target.

To configure SSL in Java environment for older versions of JDK, follow these steps given below.

If you can access the HTTPS URL in your browser then it is possible to update Java to recognize the root CA. In this case URL is or both use the same SSL certificate.

Note: The SSL certificate for this website and its subdomains will work with Java 1.8 or later versions. If you are using any older version of Java e.g. 1.6 or 1.7 you may find this SSL issue. In such case follow the procedure as given below.

In your browser, go to the HTTPS URL that Java could not access. Click on the HTTPS certificate chain (there is lock icon in the Internet Explorer, or the domain name left of the URL in firefox) and navigate the certificate hierarchy. At the top there should be a Primary Root CA. This could be missing from your java cacerts file. Note down the Issuer and Serial Number.

To verify the root certificates, determine where the cacerts file is located. By default it is in jre/lib/security/cacerts. The default password for this keystore is ‘changeit’.

e.g. on my system, I have both JDK and JRE, here is where they are located. Different versions of java can have different cacerts.


Once you have your keystore, dump its contents by using the list option.

keytool -list -v -keystore /path/to/cacerts > java_cacerts.txt
Enter keystore password: changeit

Take a look at java_cacerts.txt. See if it includes the same certificate that is present in the browser by searching for a matching serial number. In the java_cacerts.txt file, the serial number will be in lowercase and without the “:” colon character. If it is not present, then this could be the reason for the error, and we can fix this by adding the certificate found in the browser.

Back in the browser, export the Root CA. Choose the "X.509 Certificate (DER)" type, so the exported file has a der extension. The exported file can also have crt extension.

Assuming the file is called example.der or example.crt, pick the alias ‘example’ for this certificate. Next import the file.

keytool -import -alias example -keystore /path/to/cacerts -file example.der

You will be prompted for a password, use ‘changeit’ and respond “yes” on whether to trust this key.

Dump the contents again to verify it contains your new certificate. Restart the JVM and check that it can now access the HTTPS URL.