Will the cross root cover trust by the default list in the JDK/JRE?

I’ve just hit this issue my self. Whilst beta testing I found maven wouldn’t accept the cert (I have proxied Nexus on a whitelisted domain) & maven was failing with:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The temporary solution (until Oracle adds it to the JDK) was to use the following to manually add the certificate chain to the JDK:

Presuming:

  • JAVA_HOME is the location of the JDK, i.e. for me it’s /usr/local/java/jdk1.8.0_66
  • chain.pem is the certificate chain from lets-encrypt

The following command will add it to the local JDK:

keytool -trustcacerts \
    -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit \
    -noprompt -importcert -file chain.pem

Peter

1 Like