By default all Trusted Certificate Authorities are stored is a Java keystore file [cacerts] placed at
containing all trusted SSL certificate issued by Certificate Authority & web application deployed on tomcat can access all external web services (SOAP or REST) (https) or applications.
Requirement is to restrict tomcat to use only organisation specific certificates. To achieve the business case, we need to override the cacert file. To do this, need to create a new file that contains only required trusted certificate. Place the newly created file at
. This file contains no enteries to start off.
Once above is done, application deployed on tomcat will start throwing SSLHandshakeException for all other certificate (if application is using those) that are not listed in cacerts.
Exception seen is
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
For doing above first we need to first download the trusted certificate from browser in .cer format
To trust a new Certificate Authority:
- View the certificate presented by the server
- Find the Certificate Authority that issued the certificate
- Download the certificate of the Certificate Authority that issued the certificate
- Import the Certificate Authority’s certificate in to the trusted list as test.cer
Steps to add certificate to the trusted list
- Open Command prompt (cmd) in administrative mode
- Navigate to
- Check the current certificates numbers in trusted list (if any, may be you are doing for first time, so skip his step) by running command
- open beforecerts.txt & see of number of imported certificates - Your keystore contains n entries
- Issue the following command to import the certificate test.cer
- Check again current certificates numbers in trusted list
- open aftercerts.txt & number of imported certificates - It should be incremented by 1
Dimit Chadha TOMCAT