How to Add a Root Certificate to the Java Truststore on Mac OS 10.15 Catalina

When developing a java web app on Mac OS Catalina, you may have a service that makes an API request to a secure URL.

If you don’t have that secure (https) URL’s root certificate in your Java truststore, the call will fail with this error: PKIX path building failed: unable to find valid certification path to requested targetCode language: CSS (css)

The solution is to put that secure URL’s host’s root certificate into your Java truststore. Easier said than done, but here’s how to do it on Mac OS Catalina.

1. Download the Certificate

  1. Go to the secure URL in the Chrome browser.
  2. Hit F12 to open the Chrome Inspector Tools.
  3. Open the “Security” tab in the Inspector Tools. It’s going to be on the right side of the top nav.
Screenshot with annotations indicating the steps needed to grab an SSL cert
  1. Click the “View Certificate” button.
  2. Open a new Finder window somewhere else on your screen.
  3. In the certificate box, click on the certificate at the top of the tree. Then drag the big image of the Root Certificate into your Finder window. You should now have a file called something like: “DST Root CA X3.cer” in your finder window.
    1. Pro Tip:
      1. Clicking and dragging with no keys held down gives you a *.cer certificate
      2. Clicking and dragging with the Command key held down gives you a *.txt version of the certificate
      3. Clicking and dragging with the Option (or Alt) key held down gives you a *.pem version of the certificate
      4. The truststore will accept a *.pem or *.cer file
  4. Rename the file so that it has no spaces in it: “DSTRootCAX3.cer”.

2. Put the Certificate in your Java truststore

  1. Open a Terminal window.
  2. Run this command to put the cert in your Java truststore:
sudo keytool -import -alias dstrootcax3 -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_77.jdk/Contents/Home/jre/lib/security/cacerts -file DSTRootCAX3.cerCode language: JavaScript (javascript)

Here is the command broken down so you can see where to replace strings with your values:

sudo keytool -import -alias <uniqueAliasName> -keystore <pathToYourJavaInstallations_cacerts_file> -file <pathToCertYouJustDownloaded>Code language: HTML, XML (xml)

The command starts with sudo because you need Admin rights to make this change. You’ll be asked for your Mac user password to proceed.

You’ll next be asked for the password to the truststore. If you have never changed the password, the password is “changeit”.

The uniqueAliasName should be a unique name within the truststore cert list that will let you recognize this particular cert, say, in case you want to remove it.

The pathToYourJavaInstallations_cacerts_file is the path to cacerts file you are using as a truststore. If your server is not using a custom cacerts file, this will be at the default location for your Java installation. If you are using the default Java installation that came with your Mac, like I am, it could be this path: /Library/Java/JavaVirtualMachines/jdk1.8.0_77.jdk/Contents/Home/jre/lib/security/cacerts

The pathToCertYouJustDownloaded is the path to the cert you just put in your Finder folder.

If you’ve run the command successfully, you should see this message in your terminal: Certificate was added to keystore

You can now restart your Java web server, and your API call should work.

Leave a Reply

Your email address will not be published. Required fields are marked *