Saturday, February 16, 2008

GoDaddy as a trusted certificate authority

GoDaddy has not as of yet ascended to the ranks of a default trusted certificate authority in the Java Security code. You have to make this happen manually.

I was getting an exception when attempting to consume a web service over SSL. Here is the exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Message: ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The fix for this problem was to add GoDaddy as a trusted CA. Here are the steps I took:

1. Download gd_intermediate.cer from here.
2. I put this file in %JAVA_HOME%\jre\lib\security. You can put it anywhere you want.
3. Run the following command at a command prompt:

C:\Program Files\Java\jre1.6.0_02\bin>keytool -import -trustcacerts -alias godaddy-cert -keystore ..\lib\security\cacerts -file ..\lib\security\gd_intermediate.cer

4. You will be prompted for a password. If you have not changed the password, it will be "changeit".
5. You will then get the following message if all is successful - "Certificate was added to keystore".
6. Restart Tomcat.
Posted by at

4 comments:

Unknown said...

Brian, Excellent atricle. I have a question do I need to run the keytool if I upgrade JRE version?

April 3, 2008 at 10:58 AM
Brian Barnett said...

Renu,
I am not sure if you need to run the keytool after upgrading JRE. Not sure if the JRE upgrade carries over trusted certificates that have been added. My guess would be that the upgrade takes care of things like that, but like I said, not 100% sure. You may need to ask this question on a Java forum.

April 4, 2008 at 9:02 PM
Anonymous said...

People should read this.

November 11, 2008 at 4:10 PM
Unknown said...

Good find - thanks for the article.

Server owners can install gd_bundle.crt from the same repository and help every client avoid the need to install the gd_intermediate cert... not just JVM, but browsers and IMAPS clients, too.

But it appears that some JVMs don't have a cert for ValiCert, which is the ultimate signing authority for GoDaddy's chain. There's no way around installing that one.

December 30, 2009 at 11:49 AM

Post a Comment

Subscribe to: Post Comments (Atom)