SSL:Java Keystores - lbonanomi/notes GitHub Wiki
Java is barfing with a "SunCertPathBuilderException" error
If you see this:
Caused by: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
If Java is managing SSL directly: Java doesn't trust the certificate signer. If you have an internal CA append the intermediate certificate to the server's certificate.
If Java is behind an [[Apache]] proxy: If you have an internal CA save a copy of the intermediate certificate on the proxy host, and point to it with the [[Apache]] config directive SSLCertificateChainFile or create a stacked certificate (PEM/Chain/Key) and load with SSLCertificateFile.
Generating keys
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
Converting PKCS12 files to/from OpenSSL Certificate Chain:
openssl pkcs12 -in $keystore.p12
openssl pkcs12 -export -in $keystore.txt -inkey $keystore.txt -out $keystore.p12 -name $key_name -CAfile $keystore.txt -caname root
Java Keystores
Backup java keystore keys to PKCS12 format:
keytool -importkeystore -srckeystore $keystore.jks -destkeystore $keystore.p12 -deststoretype PKCS12
Restore a java keystore from a pkcs12 file
- Create a new, empty keystore:
keytool -genkey -alias $alias -keyalg RSA -sigalg SHA256withRSA -keystore $keystore.jks
- Convert PKCS12 formatted file to java keystore:
keytool -importkeystore -deststorepass $STORE_PASSWORD -destkeypass $STORE_PASSWORD -destkeystore $keystore.jks -srckeystore $keystore.p12 -srcstoretype PKCS12 -srcstorepass $STORE_PASSWORD -alias $alias