When a Java client accesses an HTTPS website, the Java client attempts to build a chain of trust from the certificate of the server that hosts the website to the root certificate authority (CA) certificate. If the chain fails to be built, the following errors may be reported:
javax.net.ssl.SSLHandshakeException: indicates that the SSL or TLS handshake failed. The reason may be that the certificate of the server is untrusted. In this case, check whether the certificate of the server has expired or is valid.
sun.security.validator.ValidatorException: indicates that the Public Key Infrastructure (PKI) certificate path failed to be built. In the verification process of the certificate chain, the client cannot find a valid path from the server certificate to the trusted root CA. The reason may be that the Java Virtual Machine (JVM) truststore does not have a root certificate or an intermediate certificate that is required for the server certificate. In most cases, the JVM truststore is stored in the $JAVA_HOME/jre/lib/security/cacerts directory. We recommend that you add the root certificate or complete certificate chain of the server certificate to the JVM truststore. For more information about how to download a root certificate and an intermediate certificate of a certificate brand, see Download a root certificate and an intermediate certificate.
NoteIn Java, the JVM truststore refers to a Keystore file that contains a series of trusted CA certificates or self-signed certificates. The JVM truststore is used to verify the identity of a remote server. The default path to the truststore file varies based on the operating system and Java version of your client.