By Adi Atzmony.
In some cases you may be faced with PKIX or certification path errors when running Eclipse/Selenium. This article will explain how to resolve these issues
Updating the Java Keystore with the Perfecto Lab certificate(s):
The Java Keystore contains several known certificates. In case the Perfecto Lab uses a certificate that does not exist in the keystore, you will need to add it. Otherwise, the following errors will appear when running the test.
- Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The following describes the process for updating the default Java Keystore with the required certificates.
Identifying your certificates
- Open your Perfecto Lab in a browser (the example below uses Chrome)
- Right click on the security icon in the URL bar
- Click on the Certificate information link in the Connection tab
- View the certificate Thumbprint
There are typically three certificate levels, as shown in the example below. However, there may be more.
Complete this process for each certificate level, with the exception of the last one in the chain.
Check the Java keystore to identify the unrecognized certificates.
1. Check the Java installation being used by Eclipse.
From within Eclipse, go to Windows > Preferences > Java > Installed JREs
Note: This step is important since in some cases there is more than one Java installation on a single machine.
2. Search for your certificates in the Java keystore, using keytool.
From cmd prompt, navigate to the Java installation folder (identified in previous step 1), and run the keytool.exe to extract the list of certificates (listOutput.txt file) with the list command.
For example, keytool -list -keystore "C:\Program Files\Java\jre7\lib\security\cacerts" >C:\temp\listOutput.txt
Open the listOutput.txt file and search for your certificate thumbprints to identify the unrecognized certificate. Notice: Replace the spaces with a ':' in the thumbprint string when searching in the listOutput file. For example: 4e b6 d5 78 ... --> 4e:b6:d5:78 ...
Adding Certificate to keystore
Once you have located the unrecognized certificate, you will need to update the keystore.
1. Generate a new certificate file.
From your browser, click on Copy to File and complete the Certificate Export Wizardsteps.
Notice: When exporting, select the DER encoded binary X.509 (.CER) file format.
Save the certificate file locally. For Example, C:\temp\new.cer.
2. Update keystore with the new certificate.
Copy the cacerts file to a temp location.
Note: This step is important since in some cases updating directly to Program Files is restricted, and you will receive the keytool error "Access is denied".
From cmd prompt, run the importcert command.
keytool -importcert -file C:\temp\new.cer -keystore "C:\temp\cacerts"
Copy cacerts file back to Program Files location.
Validating the certificate
Confirm that the keystore has been updated with the new certificate.
1. Search for your certificates in the Java keystore, using keytool.
(same as step 2 in keystore validation section above)
From cmd prompt, navigate to the Java installation folder, and run the keytool.exe to extract a newListOutput.txt file with the list command.
keytool -list -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"_> C:\temp\newListOutput.txt
Open the newListOutput.txt file and search for the certificate thumbprint. Notice: the number of entries in the newListOutput file should have increased due to the new entry.
If you still face the same errors, please review the additional troubleshooting document called