How to add SSL cert to the Java trust store (MacOS)?

nish abe
2 min readJul 15, 2019

I was working on publishing the code coverage metrics using sonar-scanner to the Sonarqube server and found the below error in the terminal window.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Turns out that Java is not trusting the self-signed certificate used at my work because it is not present in the TrustStore.

Solution:

Open terminal.

Step 1: View the SSL certs used at the remote endpoint by executing the below command:

openssl s_client -showcerts -connect sonarqube-at.remote.server.com:443

In the above step, we are just checking if the cert is exportable. Please note the server address does NOT have ‘https://’ part.

Step 2: Export those certs locally:

openssl s_client -connect sonarqube-at.remote.server:443 | openssl x509 -out sonar_ssl.cert

By default, the cert will get exported to your home folder.

Step 3: Please make sure to check your JDK version and update the command as needed.

Import, the cert to Java trust store:

sudo keytool -import -alias sonar_certificate -file sonar_ssl.cert -keystore  /Library/Java/JavaVirtualMachines/jdk1.8.0_212.jdk/Contents/Home/jre/lib/security/cacerts

You will be asked to enter the system admin password.

Then it will ask for the key store password which is ‘changeit’ by default.

Then there will be a confirmation prompt for which you need to enter ‘yes’.

Once the above steps are complete, restart the system so that the changes will take effect.

Read more at:

--

--

nish abe

"Curious to know how things work and interested in making things work". https://nishabe.github.io/