Last Updated on June 28, 2020 by Colin
When developing a java web app on Mac OS Catalina, you may have a service that makes an API request to a secure URL.
If you don’t have that secure (https) URL’s root certificate in your Java truststore, the call will fail with this error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The solution is to put that secure URL’s host’s root certificate into your Java truststore. Easier said than done, but here’s how to do it on Mac OS Catalina.
1. Download the Certificate
- Go to the secure URL in the Chrome browser.
F12to open the Chrome Inspector Tools.
- Open the “Security” tab in the Inspector Tools. It’s going to be on the right side of the top nav.
- Click the “View Certificate” button.
- Open a new Finder window somewhere else on your screen.
- In the certificate box, click on the certificate at the top of the tree. Then drag the big image of the Root Certificate into your Finder window. You should now have a file called something like: “DST Root CA X3.cer” in your finder window.
- Pro Tip:
- Clicking and dragging with no keys held down gives you a *.cer certificate
- Clicking and dragging with the Command key held down gives you a *.txt version of the certificate
- Clicking and dragging with the Option (or Alt) key held down gives you a *.pem version of the certificate
- The truststore will accept a *.pem or *.cer file
- Pro Tip:
- Rename the file so that it has no spaces in it: “DSTRootCAX3.cer”.
2. Put the Certificate in your Java truststore
- Open a Terminal window.
- Run this command to put the cert in your Java truststore:
sudo keytool -import -alias dstrootcax3 -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_77.jdk/Contents/Home/jre/lib/security/cacerts -file DSTRootCAX3.cer
Here is the command broken down so you can see where to replace strings with your values:
sudo keytool -import -alias <uniqueAliasName> -keystore <pathToYourJavaInstallations_cacerts_file> -file <pathToCertYouJustDownloaded>
The command starts with
sudo because you need Admin rights to make this change. You’ll be asked for your Mac user password to proceed.
You’ll next be asked for the password to the truststore. If you have never changed the password, the password is “changeit”.
uniqueAliasName should be a unique name within the truststore cert list that will let you recognize this particular cert, say, in case you want to remove it.
pathToYourJavaInstallations_cacerts_file is the path to cacerts file you are using as a truststore. If your server is not using a custom cacerts file, this will be at the default location for your Java installation. If you are using the default Java installation that came with your Mac, like I am, it could be this path:
pathToCertYouJustDownloaded is the path to the cert you just put in your Finder folder.
If you’ve run the command successfully, you should see this message in your terminal:
Certificate was added to keystore
You can now restart your Java web server, and your API call should work.