Java, SSL and self-signed certificates

Posted by: Brian Pontarelli on July 26, 2008

Depending on the API you are using or how you are using SSL, you might have received an error stating that the certificate is invalid, not path to certificate, invalid certificate chain, no chain found, PKIK error, or something similar. This occurs when the certificate is self-signed or signed by an authority that has not been verified by the JDK you are using.

There is a simple way to handle this for self-signed certificates:

  1. Open Firefox
  2. Go to the site that is using SSL (i.e. https://svn.example.com)
  3. Click on the lock down in the lower right corner of the browser window
  4. Click the “View certificate” button
  5. Click the details tab
  6. Click the export button to export the certificate
  7. Save the certificate in x.509 (PEM) format
  8. Go to a command prompt
  9. Add the certificate to the keystore

Here is the command to add the certificate to your global keystore:

*nix

$ keytool -import -keystore $JAVA_HOME/lib/security/cacerts -file <your-pem-export>
-alias <anything>

Windows

c:\> keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file <your-pem-export>
-alias <anything>
Brian Pontarelli's complete blog can be found at: http://brian.pontarelli.com
Brian Pontarelli

About Brian Pontarelli

I am a Technology Entrepreneur with a software development background. Currently, I am focused on solving the technology issues that many companies face for login, registration, and user management. My team and I built FusionAuth: A modern customer identity and access management (CIAM) platform that comes with features not seen in the marketplace today. It allows companies to focus on their core product not the plumbing of identity and user management.