Help! I Am Getting a Certificate Error (PKIX Path)

If your site is using a self-signed certificate to establish SSL (HTTPS) connections you may see an error like the following when attempting to connect to Salesforce:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
                at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
                at sun.security.validator.Validator.validate(Unknown Source)
                at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
                at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
                at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
                ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
                at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
                at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
                at java.security.cert.CertPathBuilder.build(Unknown Source)
                ... 32 more

This type of error typically means that your network is using a self-signed certificate. To make CopyStorm (or any other Java based application) work with your certificate, you must add the certificate to Java’s trusted store file “cacerts”.

To automatically add the certificate

  • Open the “Help” menu in the top left of the application GUI and select the “Load Network Certificates” option:
  • This will open the “Certificate Viewer” popup where you can view, approve, or export the necessary certificates:
  • Approve the certificates by clicking the “Approve” button. This will create a keystore file called “CapStormKeyStore.jks” in the best practice setup CapstormConfig directory OR the current user’s home directory that will contain the approved certificates. CapStorm applications will use this keystore file for SSL traffic.

To manually add the certificate

  • Get a copy of your certificate.
    • This will be a CER or CRT file (example: mycompany.crt).
  • Copy the certificate to the the certificate directory in your CopyStorm installation:
    • [CopyStormRoot]/jre/lib/security
  • Navigate to the certificate directory in a shell (Linux) or command prompt (Windows) and run the command:
    • ..\..\bin\keytool -import -keystore cacerts -file mycompany.crt
    • The tool will ask you for a password. It is “changeit”.
  • You’re done! CopyStorm will now connect to Salesforce without a PKIX error.

If your environment requires that multiple certificates be installed, you will need to import each certificate using a unique alias:

  • ..\..\bin\keytool -import -keystore cacerts -file firstcertificate.crt -alias firstcertificate
  • ..\..\bin\keytool -import -keystore cacerts -file secondcertificate.crt -alias secondcertificate

If you have encountered this problem, it is better in the long run to use a “cacerts” file for a Java runtime that is installed globally on your computer. The procedure is the same, but the “cacerts” file is in a different location. If you take this approach then remove the “jre” directory from CopyStorm and the application will use the system default Java.

Here is a great article with more details — please reference it if you need more help.