向Java信任库和Sslhandshake添加证书

Question

I sent http request with Java Program (using HttpUrlConnection) to web site and download files from there.

The website is "https" and use certificates.

When I try to run my code it take exception:

cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I tried to go this web site with my Browser(Mozilla).And when I check the certificates,There are three certificates.The site contain these certs.

DigiCert High Assurance EV Root CA

-DigiCert High Assurance CA-3

-thecompanycert (Issued by DigiCert High Assurance CA-3)

And I check my trustsroe with keytool. The truststore only has the Root CA. Is it enough or I have to import the other 2 certificate? Or only -thecompanycert?

What is the risks of adding intermediate certificates to the java truststore? Am I have to do this?

Can anyone help about that?

Answer 1

If the server was configured correctly, it should send the site certificate along with any/ all intermediate certificates that are required to build the trust chain. It appears the site you're connecting to isn't sending the intermediate cert(s).

If you are the site admin, you can correct this and you wouldn't have to mess around with the Java client trust store.

If you are an end user, you can add the intermediate cert(s) to the Java trust store. You would not be required to add the site certificate. However, do contact the site owner and request them to have this corrected.

I'd posted a similar answer a few days ago.

Answer 2

Given that that CA and intermediate CA are already present in the default truststore in recent Java version you shouldn't need to import them unless you are using an older Java version. In any case it depends on how much you trust the CA but Java and most browsers already trust it.