Help! I Am Getting a Certificate Error (PKIX Path)
If your site is using a self-signed certificate to establish SSL (HTTPS) connections you may see an error like the following when attempting to connect to Salesforce:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 26 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 32 more
This type of error typically means that your network is using a self-signed certificate. To make CopyStorm (or any other Java based application) work with your certificate, you must add the certificate to Java’s trusted store file “cacerts”.
To add the certificate:
- Get a copy of your certificate.
- This will be a CER or CRT file (example: mycompany.crt).
- Copy the certificate to the the certificate directory in your CopyStorm installation:
- Navigate to the certificate directory in a shell (Linux) or command prompt (Windows) and run the command:
- ..\..\bin\keytool -import -keystore cacerts -file mycompany.crt
- The tool will ask you for a password. It is “changeit”.
- You’re done! CopyStorm will now connect to Salesforce without a PKIX error.
If your environment requires that multiple certificates be installed, you will need to import each certificate using a unique alias:
- ..\..\bin\keytool -import -keystore cacerts -file firstcertificate.crt -alias firstcertificate
- ..\..\bin\keytool -import -keystore cacerts -file secondcertificate.crt -alias secondcertificate
If you have encountered this problem, it is better in the long run to use a “cacerts” file for a Java runtime that is installed globally on your computer. The procedure is the same, but the “cacerts” file is in a different location. If you take this approach then remove the “jre” directory from CopyStorm and the application will use the system default Java.
Here is a great article with more details — please reference it if you need more help.