Skip to main content


Showing posts from 2019

How to import an untrusted website certificate to the Java keystore

Java uses the keystore file named cacerts. It should already contain all trusted root CA certificates that are used to sign intermediate and leaf certificates. Leaf certificates are end user certificates that are used to secure websites with HTTPS. However, sometimes a root CA certificate might be missing from the Java keystore or a website might be using a self-signed certificate which will result in the following exception when you try to access the website from Java code: PKIX path building failed: unable to find valid certification path to requested target For me it happened with a certificate issued by COMODO. In this case the easiest solution is to add the website certificate to the Java keystore. Shortly, it requires exporting the certificate from the website, importing it into the keystore and restarting your Java application. Please b

PFX keystore notes

This is a short note with useful commands for PFX keystores. Import to AWS Certificate Manager When you need to import PFX certificate into AWS Certificate Manager, you will have to export the unencrypted private key and certificate chain first. Export the unencrypted private key from PFX openssl pkcs12 -in domain_certificate.pfx -nocerts -nodes -out private_key.pem Export the certificate chain from PFX openssl pkcs12 -in domain_certificate.pfx -nokeys -out certificate.pem When you have the PEM files, you can go to the AWS Certificate Manager, click "Import a Certificate" button and enter the following: Certificate body* - paste the first certificate from certificate.pem ending with the words: "-----END CERTIFICATE-----" Certificate private key* - paste the contents of private_key.pem Certificate chain - paste the complete contents of certificate.pem