unable to find valid certification path to requested target

https://blog.csdn.net/write_down/article/details/79114573

1. 知识预备
要理解本文，需要掌握以下知识：

https基本原理，包括证书分发和密钥协商等 [1]；
http代理和https代理的基本原理 [2];
常用的本地http代理工具，如Fiddler, BurpSuite；
懂Java语言，了解HttpClient的基本功能和API [3]。
2. 问题描述与分析
使用httpclient写程序访问https页面，中间需要通过本地的http/https代理，如下所示：
Java程序(基于httpclient) <——-> 代理工具 (如Fiddler) <———> Web服务器
当运行Java程序后，程序出现异常，提示：

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

从错误提示可以看到是无法验证网站的证书，找不到证书验证链。为了解决问题，将代理工具生成的证书作为可信根证书导入系统证书库，但是问题依然存在。在阅读了资料之后才恍然大悟，原来Java的证书验证系统是独立于操作系统和浏览器的，而是使用JRE中证书库，所有必须把代理工具的证书加入到JRE的证书库中。

解决方案

1.先导出目标网站的证书

https://blog.csdn.net/c5113620/article/details/80384660

https://jmeter-plugins.org/ 导出的证书是jmeter-pluginsorg.crt

2.切换到C:\Program Files\Java\jre1.8.0_151\bin目录

.\keytool.exe -import -alias JMeter -keystore ..\lib\security\cacerts -file "C:\Windows\System32\jmeter-pluginsorg.crt"

如果提示输入口令，java默认口令是changeit，最后输入y信任此证书。

3.还是相同目录下

C:\Program Files\Java\jre1.8.0_151\bin> .\keytool.exe -list -keystore ..\lib\security\cacerts -alias JMeter
Enter keystore password:
JMeter, Feb 27, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 58:EF:9D:99:03:E7:3E:F0:19:6A:24:26:5E:6A:18:B1:B5:44:66:88

扩展阅读

https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3

Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks

https://blog.csdn.net/duan19056/article/details/21025349

导入

keytool -import -keystore "C:\Program Files (x86)\Java\jre6\lib\security\cacerts" -storepass changeit

删除

keytool -delete -alias emailcert -keystore "C:\Program Files (x86)\Java\jre6\lib\security\cacerts" -storepass changeit

查看

C:\Program Files\Java\jre1.8.0_151\bin> .\keytool.exe -list -keystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit -alias JMeter
JMeter, Feb 27, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 58:EF:9D:99:03:E7:3E:F0:19:6A:24:26:5E:6A:18:B1:B5:44:66:88

重命名

C:\Program Files\Java\jre1.8.0_151\bin> .\keytool.exe -changealias -alias JMeter -destalias -keystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit -v
Illegal option: C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts
keytool -changealias [OPTION]...

Changes an entry's alias

Options:

-alias <alias> alias name of the entry to process
-destalias <destalias> destination alias
-keypass <arg> key password
-keystore <keystore> keystore name
-storepass <arg> keystore password
-storetype <storetype> keystore type
-providername <providername> provider name
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
-protected password through protected mechanism

Use "keytool -help" for all available commands

.\keytool.exe -changealias -alias JMeter4 -destalias JMeter -keystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit

https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ?answertab=votes#tab-top

Go to URL in your firefox browser, click on HTTPS certificate chain (next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer. Now you have file with keystore and you have to add it to your JVM
Determine location of cacerts files, eg. C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts.
Next import the example.cer file into cacerts in command line:

keytool -import -alias example -keystore C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts -file example.cer

You will be asked for password which default is changeit

Restart your JVM/PC.

source: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html