3

i have three java based web application app1,app2 and app3 at production. All 3 are verified by verified CA's and hosted on 3 different web servers and on https. app1,app2 is verified by secure trust.app3 is verified by trustwave .

Below is the hierarchy of certificates of certificates ,i can see when i hit any of these app thru web browser.

app1,app2 certificate hirerarchy is same .e

 Entrust.net Secure Server Certification Authority---> SecureTrust CA------->*.myAppDomain.com

app3 certificate hirerarchy is 

 Entrust.net Secure Server Certification Authority---> SecureTrust CA------->TrustWave Organization Validation CA, L------->*.myApp3.com

Now when app1 connect to app2 , works fine. But when app1 connects to app3 gets below exception

 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Now i had a look on cacert file(i.e trust store) inside jdk on web server hosting app1 . I tried to found the entries for Entrust,SecureTrust,TrustWave but found only entries like entrustevca, entrust2048ca etc. So if i go by the logic that if root certificate (which is Entrust for both the applications app2 and app3 ) lies in trust store of contacting application(app3) ,which i can see in cacert file on app3 ,then i should not get the above mentioned error when app1 tries to contact app3 thru httpsURLConnection. I am not gettting the cause of this? i am not sure do we need to include the trustwave also , though the root certificate i.e Entrust which internally authenticate trustwave already there?

If i need to include trustwave certificate(used by app2) in cacert file on app3 then by that logic i should also inlcude securetrust(used by app2) in cacert file on app3 but it is working Fine?

Improve this question

1 Answer 1

Reset to default
3

The client's truststore doesn't trust the server's certificate. So there was no trusted CA certificate in the client's truststore that matched anything in the certificate chain supplied by the server. So that certificate chain was incomplete. You need to import everything you were supplied with by the CA into the server's keystore.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hi EJP . When you said "The client's truststore doesn't trust the server's certificate." hope you mean webserver as client not web browser as client. Because when i hit the same url in any browser, it gets success with giving any warning or exception for certificate . As per my understanding it is happening because i can find the entry of Entrust.net Secure Server Certification Authority in browser Trusted Root Certification.
Another point you also said "So there was no trusted CA certificate in the client's truststore that matched anything in the certificate chain supplied by the server." but i can find the entry of entrustevca, entrust2048ca, other entrust related entries [which is the root certificate used by app3] in cacert file of app1. So when app1 contact app3 it should not throw the exception. RIGHT?
I mean whichever element in your application is the client in the transaction in question. Surely this is obvious. If there is a certificate in the chain supplied by the server that is trusted by the client's truststore, you won't get this exception. Ergo there isn't.
Maybe the root certificate is different, or an older version. Export the certificates and check if you can verify with the root.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.