Handling Java SSL Certificate Exception

If you are trying to make an HTTPS call to the AvaTax web service from a WebSphere Message Broker  and recieve an exception message similar to below, it is likely that the Message Broker is unable to build the entire certificate path. The Message Broker “keystore” must have all of the certificates in the “chain” of CA’s.

javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

One way to verify that all of the required certificates are in your keystore is using the “keytool” from the bin directory of the interface in use.

  1. Start an Administrator Command Prompt.
  2. Navigate to the bin directory of the API method you are using.
  3. Type keytool –list and review the certificates stored. You should see at least one Verisign certificate authored by Avalara with an expiration date greater than the current date.
  4. If not, you may need to recreate the keystore with 'keytool' using the "genkey" option and re-import your application certificates if any of the components of the certificate chain are missing or out of date.

Search https://www-947.ibm.com/support/entry/portal/support for “keystore” or “keytool” or “genkey” for more information.

Note:  If you are using a Microsoft Windows environment, Certificate Manager (CertMgr) can be accessed via your devices Management Console. You will need administrative rights to use this tool.

Subscribe via RSS!

Back to posts