Import Certificates in Java Truststore from your browser

• Are you able to connect to a website from a browser, but not from your java application.
• Do you know from where you can get the trust certificate.
• Do you know how to add a certificate to your java truststore.

If you are facing any such problems, then this article is for you.

Recently i was working on a Springboot application, which talks to a HTTP endpoint over SSL. But every time it tried to connect, it was getting this error.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: sun.security.validator.ValidatorException:

The error above states that the application was not able to establish secure SSL to this endpoint. There can be many reasons for this to happen —

• Either the configured trust store is missing the signed CA for this service.
• Or may be you are using a self signed certificate or it is been signed by an internal certificate authority.
• May be the certificate or your clients (Browser/ Java) is outdated.

In my case, the certificate was missing in trust store. So i downloaded the certificate from my browser and added into my trust store. AMAZINGLY !!!! that worked. So let’s see, how i was able to pull this off.

Get the CA Certificate from the Endpoint

• Hit the browser, with the service endpoint.
• click on the lock icon on the address bar

• Go to the certificate
• Select the Root certificate Authority(top level parent)
• To get the certificate, click on the certificate icon and drag it to your desktop.

This will save the certificate on your desktop medium.com.cer

• Also note down the SHA 1 of the certificate, in this case, this should be:

SHA 1 of this certificate will be:
3A B0 65 0D 6C 65 8D 53 DA BD EA 3F C4 DB 22 8C 46 57 D0 6C

remove the spaces with colons:

3A:B0:65:0D:6C:65:8D:53:DA:BD:EA:3F:C4:DB:22:8C:46:57:D0:6C

Now, we have our certificate. let's see how we will import it into our application’s trust store.

Importing the certificate in Trust Store

• The java has a default truststore known as cacerts, it is usually present in the location

$JAVA_HOME/jre/lib/security

• The trust store contains certificate to authenticate the peers. All the public CA are present here. Once, we have found the truststore, let’s list all the certificates that are present in our truststore with the following command.

Keytool -keystore $JAVA_HOME/jre/lib/security/cacerts -list

NOTE: The default password for the trust store is : changeit

• Mine trust store contained 96 (Should be 95 in your case) entries with the name of Root CA and the trusted SHA 1 fingerprints.

Check if the certificate is present in your truststore:

• Search for the above fingerprint, that we got from the certificate in this list.
• If this is not present, which is usually the case, then proceed below to add this to truststore.

Adding the certificate into Java truststore

• Be careful while adding certificate to java trust store. only add the certificates which you trust.
• To add the certificate, use the keytool command line tool, which comes bundled with java

sudo keytool -import -alias testCert -keystore $JAVA_HOME/jre/lib/security/cacerts -file medium.com.cer

alias- some name to identify your certificate easily
file- the certificate file downloaded from internet
the default password for truststore is : changeit

• After adding the certificate, restart your JVM or simply said your application. Now your application must be able to connect to the HTTP Service over SSL.

HURRAAAYYY !!!! you just now configured java truststore.

Points to Remember:

• In case you need to delete a certificate from truststore, use the following command

keytool -delete -alias testCert -keystore $JAVA_HOME/lib/security/cacerts

where alias is the alias of the certificate, that you used to store it earlier.

• cacerts belongs to the specific version of java. So add your certificate in the correct version, in case you have multiple versions of java installed.

Keep Coding !!! Until next Time.