I was trying to send a request to a host server using SOAP and it required a certificate since cxf needs one.
I exported the certificate using this command to the cacerts file in JAVA_HOME:
keytool -import -trustcacerts -alias fooAlias -file foo -keystore cacerts
but after trying to send the request again I got this exception:
pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception:
unable to find valid certification path to requested target
And of course I went and searched for a solution which turned out to be adding the certificate to the cacerts file which I already did!!, So it created kind of a confusion on why this happened.
Then after 2 days of trying to figure it out and losing all hope I opened the certificate by chance and I found that it was expired 3 months ago.
I contacted the team and requested a new valid one, and after adding it the error went away, and the request got sent.
So please can someone tell me why did keytool not show a warning when I tried to add the expired certificate.
It would've made sense for it to do so since the error was thrown because it was expired.
And why would it even allow expired certificates to be added.
Keytool will not warn when you try to add the certificate. The command that you have used imports a root or intermediate CA certificate to an existing Java keystore and it does the same for you.
As the command only asks for an instance of the certificate it never checks the validity. Validity check should be done by the user of the certificate not the provider. So code works as expected.
You can check the validity of the certificate by
$ keytool -printcert -v -file [CERTIFICATE]
Output
Owner:
Issuer: CN=CPD Root CA, DC=cpd, DC=local<br>
Serial number: 39e8d1610002000000cb
<br>Valid from: Wed Feb 22 21:36:31 CET 2012 until: Thu Feb 21 21:36:31 CET 2013
Certificate fingerprints: <br>
MD5: 82:46:8B:DB:BC:5C:64:21:84:BB:68:E3:4B:D4:35:70<br>
SHA1: 35:52:CA:F2:11:66:1E:50:63:BC:53:A5:50:C1:F0:1E:62:81:BC:3F<br>
Signature algorithm name: SHA1withRSA
To understand in a better way you can check the code below.
Keytool.java has a main method which takes all the arguments that you are passing. Then it parses it and pass it doCommands for further processing.
public static void main(String[] args) throws Exception {
Main kt = new Main();
kt.run(args, System.out);
}
private void run(String[] args, PrintStream out) throws Exception {
try {
parseArgs(args);
if (command != null) {
doCommands(out);
}
Then it calls KeyStoreUtil to get the CacertsKeystore.
if (trustcacerts) {
caks = KeyStoreUtil.getCacertsKeyStore();
}
From KeystoreUtil it gets the file and calls KeyStore to get instance.
/**
* Returns the keystore with the configured CA certificates.
*/
public static KeyStore getCacertsKeyStore() throws Exception {
File file = new File(getCacerts());
if (!file.exists()) {
return null;
}
return KeyStore.getInstance(file, (char[])null);
}
In KeyStore it returns a loaded keystore object of the appropriate keystore type.
public static final KeyStore getInstance(File file, char[] password)
throws KeyStoreException, IOException, NoSuchAlgorithmException,
CertificateException {
return getInstance(file, password, null, true);
}