Java mail with SSL - PKIX path validation failed

Question

I try to use self-signed certificate to get e-mails by imap with ssl, but it doesn't work. When I try to connect, I get "PKIX path validation failed" exception. I've added my certificate to java keystore and set related properties in my code but I'm not sure if is it enough. There are some details of my situation:

I created my own keystore and imported this certificate into it with keytool command:

keytool -import -trustcacerts -alias root -file mycert.crt -keystore C:\Users\me\Desktop\keystore.jks

My code is:

System.setProperty("javax.net.ssl.keyStore", "C:/Users/me/Desktop/keystore.jks");
System.setProperty("javax.net.ssl.trustStore", "C:/Users/me/Desktop/keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "123456");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");

Message[] emails;
Folder folder = null;
Store store = null;

try {
Properties props = System.getProperties();

Session session = Session.getDefaultInstance(props, null);
store = session.getStore("imaps");

store.connect(host,login, password);
folder = store.getFolder("INBOX");
folder.open(Folder.READ_ONLY);

emails = folder.getMessages();
System.out.println("You've got: "+emails.length+" emails");

} catch (Exception e) {
e.printStackTrace();
}
finally {
if (folder != null)
    folder.close(false);
if (store != null)
    store.close();
}

On store.connect() I get "PKIX validation failed exception". There is a stacktrace:

javax.mail.MessagingException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s);
  nested exception is:
    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:674)
    at javax.mail.Service.connect(Service.java:345)
    at javax.mail.Service.connect(Service.java:226)
    at Mail.checkMailBox(Mail.java:69)
    at Mail.main(Mail.java:99)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:528)
    at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:333)
    at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:229)
    at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
    at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:115)
    at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:689)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:638)
    ... 4 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: unrecognized critical extension(s)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 18 more
Caused by: java.security.cert.CertPathValidatorException: unrecognized critical extension(s)
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:192)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
    ... 24 more

Is there anything more what I need in my code, or something is wrong with my cert? What's the cause of this problem? Please help.

Regards, Artur

Answer 1

I don't see what you're doing wrong, but you might want to try the procedure described here . See also this JavaMail FAQ entry with more advice.