你是否遇到如下异常:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

以上异常表示要连接的Web服务器或URL没有来自授权CA的有效证书。 而CA证书是需要付费的,作为程序员该如何解决此问题呢?

你需要做的就是导入服务器证书并将其安装在JDK的密钥库中。只需按照以下步骤操就可以解决对应的问题。

1.首先,复制要连接的URL,将其粘贴到浏览器中,回车。

2.你可能会看到一个关于证书的警告。 单击“查看证书”并安装证书。忽略任何警告消息。

3.当服务器证书安装到计算机中之后,再次访问同一站点时,浏览器将不会发出警告。但是,需要将证书添加到秘钥库中,JRE才知道该证书的存在。通常使用keytool来管理证书,它是带有许多参数的命令行工具程序,可创建和管理用于存储数字证书的密钥库。有关keytool的完整文档,请访问http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

4.使用keytool -list命令列出密钥库中包含的当前证书。cacerts密钥库的初始密码为changeit。 例如:

C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts

输入密钥库密码:changeit

如会看到如下信息:

Keystore type: jks

Keystore provider: SUN

Your keystore contains 11 entries:

engweb, Wed Apr 11 16:22:49 EDT 2001, trustedCertEntry,

Certificate fingerprint (MD5): 8C:24:DA:52:7A:4A:16:4B:8E:FB:67:44:C9:D2:E4:16

thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9

thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41

verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D

thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D

thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D

verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10

verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20

verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93

thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry,

Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A

verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry,

Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

5.预先安装的证书添加到此密钥库中。首先将CA Root证书导出为DER编码的二进制文件,然后将其保存为C:\ root.cer。(可以在“工具”->“ Internet选项”->“内容”->“证书”下查看已安装的证书。打开证书后,在“受信任的根证书颁发机构”下找到刚安装的证书。选择正确的证书,然后单击“ 现在可以将其(DER编码的二进制文件)保存在c: drive。

6.然后使用keytool -import命令将文件导入到cacerts密钥库中。

例如:

-alias myprivateroot -keystore ..\lib\security\cacerts -file c:\root.cer
Enter keystore password: changeit

Owner: CN=Division name, OU=Department, O=Your Company, L=Anytown,

ST=NC, C=US, EmailAddress=you@company.com

Issuer: CN=Division name, OU=Department, O=Your Company, L=Anytown,

ST=NC, C=US, EmailAddress=you@company.com

Serial number: 79805d77eecfadb147e84f8cc2a22106

Valid from: Wed Sep 19 14:15:10 EDT 2001 until: Mon Sep 19 14:23:20 EDT 2101

Certificate fingerprints:

MD5: B6:30:03:DC:6D:73:57:9B:F4:EE:13:16:C7:68:85:09

SHA1: B5:C3:BB:CA:34:DF:54:85:2A:E9:B2:05:E0:F7:84:1E:6E:E3:E7:68

Trust this certificate? [no]: yes

Certificate was added to keystore

7.现在再次运行keytool -list来验证是否已添加私有根证书:

C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts

现在可以看到所有证书的列表,包括刚刚添加的证书。

这说明私有根证书已作为受信任的证书颁发机构添加到Extranet服务器cacerts密钥库中。

原文链接:https://www.java-samples.com/showtutorial.php?tutorialid=210



异常javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target插图

关注公众号:程序新视界,一个让你软实力、硬技术同步提升的平台

除非注明,否则均为程序新视界原创文章,转载必须以链接形式标明本文链接

本文链接:http://www.choupangxia.com/2020/03/21/sslhandshakeexception/