Solving "Unable to Connect to SSL Services due to PKIX Path Building Failed sun.security.provider.certpath.SunCertPathBuilder" Exception

Problem

In this post I explain how to solve the issue that throws the following exception.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:846)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
 at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
 at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
 at InstallCert.main(InstallCert.java:63)

Solution

The reason for this exception is that the certificate of one or both applications is not trusted by the other application, due to not being imported into the trust store of the JVM running that application. We need to install the SSL certificates that the application needs to connect over SSL, into our local keystore. 

First download InstallCert from here and compile the InstallCert.java.

javac InstallCert.java

Assume that we need to download the SSL certificate of the server at https://example.com.

To add it to your local store. Run:

java InstallCert example.com:443

These commands will create a file called jssecacerts and will be updating it with more SSL certificates every time you want to add a certificate. 

Copy this file to your java security folder (usually at $JAVA_HOME/jre/lib/security):

sudo cp jssecacerts $JAVA_HOME/jre/lib/security

And now our Java applications will be able to connect to the servers that we allowed over SSL.

Additional Operations:

Access server, and retrieve certificate.
java InstallCert [host]:[port]

Extract certificate from created jssecacerts keystore
keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer

Import certificate into system keystore
keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer