异常javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
你是否遇到如下异常:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
以上异常表示要连接的Web服务器或URL没有来自授权CA的有效证书。 而CA证书是需要付费的,作为程序员该如何解决此问题呢?
你需要做的就是导入服务器证书并将其安装在JDK的密钥库中。只需按照以下步骤操就可以解决对应的问题。
1.首先,复制要连接的URL,将其粘贴到浏览器中,回车。
2.你可能会看到一个关于证书的警告。 单击“查看证书”并安装证书。忽略任何警告消息。
3.当服务器证书安装到计算机中之后,再次访问同一站点时,浏览器将不会发出警告。但是,需要将证书添加到秘钥库中,JRE才知道该证书的存在。通常使用keytool来管理证书,它是带有许多参数的命令行工具程序,可创建和管理用于存储数字证书的密钥库。有关keytool的完整文档,请访问http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html
4.使用keytool -list命令列出密钥库中包含的当前证书。cacerts密钥库的初始密码为changeit。 例如:
C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts
输入密钥库密码:changeit
如会看到如下信息:
Keystore type: jks Keystore provider: SUN Your keystore contains 11 entries: engweb, Wed Apr 11 16:22:49 EDT 2001, trustedCertEntry, Certificate fingerprint (MD5): 8C:24:DA:52:7A:4A:16:4B:8E:FB:67:44:C9:D2:E4:16 thawtepersonalfreemailca, Fri Feb 12 15:12:16 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 thawtepersonalbasicca, Fri Feb 12 15:11:01 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 verisignclass3ca, Mon Jun 29 13:05:51 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, Fri Feb 12 15:14:33 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, Fri Feb 12 15:13:21 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, Mon Jun 29 13:06:57 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 verisignclass1ca, Mon Jun 29 13:06:17 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, Mon Jun 29 13:07:34 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, Fri Feb 12 15:15:26 EST 1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A verisignclass2ca, Mon Jun 29 13:06:39 EDT 1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8
5.预先安装的证书添加到此密钥库中。首先将CA Root证书导出为DER编码的二进制文件,然后将其保存为C:\ root.cer。(可以在“工具”->“ Internet选项”->“内容”->“证书”下查看已安装的证书。打开证书后,在“受信任的根证书颁发机构”下找到刚安装的证书。选择正确的证书,然后单击“ 现在可以将其(DER编码的二进制文件)保存在c: drive。
6.然后使用keytool -import命令将文件导入到cacerts密钥库中。
例如:
-alias myprivateroot -keystore ..\lib\security\cacerts -file c:\root.cer
Enter keystore password: changeit Owner: CN=Division name, OU=Department, O=Your Company, L=Anytown, ST=NC, C=US, EmailAddress=you@company.com Issuer: CN=Division name, OU=Department, O=Your Company, L=Anytown, ST=NC, C=US, EmailAddress=you@company.com Serial number: 79805d77eecfadb147e84f8cc2a22106 Valid from: Wed Sep 19 14:15:10 EDT 2001 until: Mon Sep 19 14:23:20 EDT 2101 Certificate fingerprints: MD5: B6:30:03:DC:6D:73:57:9B:F4:EE:13:16:C7:68:85:09 SHA1: B5:C3:BB:CA:34:DF:54:85:2A:E9:B2:05:E0:F7:84:1E:6E:E3:E7:68 Trust this certificate? [no]: yes Certificate was added to keystore
7.现在再次运行keytool -list来验证是否已添加私有根证书:
C:\Program Files\Citrix\Citrix Extranet Server\SGJC\jre\bin>keytool -list -keystore ..\lib\security\cacerts
现在可以看到所有证书的列表,包括刚刚添加的证书。
这说明私有根证书已作为受信任的证书颁发机构添加到Extranet服务器cacerts密钥库中。
原文链接:https://www.java-samples.com/showtutorial.php?tutorialid=210
关注公众号:程序新视界,一个让你软实力、硬技术同步提升的平台
除非注明,否则均为程序新视界原创文章,转载必须以链接形式标明本文链接
本文链接:https://choupangxia.com/2020/03/21/sslhandshakeexception/