Home » Glassfish, Java, Security

HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

13 July 2011 3 Comments

I switched all my Java Glassfish webservices to SSL, because I wanted to have an encrypted communication between me and my clients. Until then, all my applications worked flawlessly over the HTTP protocol, but now, after switching to SSL, I got the following error:

HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

That means, the client doesn’t have the certificate and cannot check response against the server certificate. The most simple solution is to export the certificate from the webserver server and import it on the webservice client.

This can be done in 2 simple steps:

keytool -exportcert -alias s1as -keystore /home/user/glassfish/domains/domain1/config/cacerts.jks > domain1.cert

Now copy the domain1.cert on the client and import it:

keytool -importcert -alias domain2 -keystore /home/user/glassfish/domains/domain1/config/cacerts.jks -file domain1.cert

Restart your webservice client (it seems the certificates are read only at start) and your application should work.


My problem was between to Glassfish server and my another Glassfish clients, but the solution explained here, should easily work on JBOSS, Tomcat or any other Java Application Containers.

Do you know another solution? I presume you can ignore the signature check somehow … Anyway, please comment about that.

Good Luck in your projects!


3 Comments »

  • Aqiqah Murah Jabodetabek said:

    Thank you, iam looking for this info 🙂
    Visit me if u dont mind 😀 Aqiqah Murah jabodetabek

  • Peter DeGregorio said:

    Thanks … this worked nicely.

    Here is a version of your solution that works for a keystore generated per Tomcat instructions and a Java client, both running locally:


    keytool -exportcert -alias tomcat -keystore .keystore > tomcat.cert

    keytool -importcert -alias tomcat -keystore LOCATION_OF_JDK\jre\lib\security\cacerts -file tomcat.cert

  • click this link to go to their website said:

    Hello there, just became aware of your blog through Google,
    and found that it is truly informative. I am gonna
    watch out for brussels. I’ll be grateful if you continue this in future. Numerous people will be benefited from your writing. Cheers!

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.