Installing a SSL certificate in Java

Print

When your mail server has a self signed certificate, you may get an exception like the following when trying to send a mail using the YajHFC mailer plugin:

javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

[...]

In that case, you will need to install the server's SSL certificate as a trusted one into Java's key store (explanation copied from http://www.grim.se/guide/jre-cert):

To make your Java runtime environment trust the certificate, you need to import it into the JRE certificate store.

Step 1 - Get the certificate into your browser store

Browse to your application server using SSL. Your browser will tell you that the certificate isn't trusted and allow you to trust it, thereby placing it in the browser certificate store.

Step 2 - Export the certificate to a binary file

Your browser will have some kind of certificate manager that allows you to export or back up specific certificates to binary files. In Firefox that would be under Preferences / Advanced / Encryption / Servers. Find the certificate presented by the server and export it as a binary DER file.

Step 3 - Import the certificate into the Java Store

Make sure you have write access to your JRE and use the keytool utility to import it:

keytool -import -alias alias -keystore path-to-jre/lib/security/cacerts -file path-to-certificate-file

Example:

keytool -import -alias sunas -keystore /opt/jdk1.6/jre/lib/security/cacerts -file /home/gugrim/tmp/sunas.der

You will be prompted for the keystore password, which is by default changeit.

Also, when you connect to the server make sure you use the same name as the one set as the Subject in the certificate. You may need to add it to your host file if the server isn't reachable using this name, which may be the case for a developer server.