TDIing out loud

Ramblings on the paradigm-shift that is TDI.

Monday, February 13, 2012

Certificate chain chain chaining error

You're trying to connect to an https server but get an SSL handshake exception. The error message tells you that the certificate you received from the secure server is not trusted. What does this mean, and what do you do about it?

This exception means that the cert you got from the server is not in your TDI truststore - the one referenced by the javax.net.ssl.truststore property - or it is signed by another certificate that is not found there. To fix this issue you have to get necessary public key certificate and import it into your truststore.

So how do you get hold of this cert? If you know the admin(s) for the server then you can request it from them. Another approach is to connect and blindly assume that the certificate recieved is trusted. Some browsers allow you to save the cert to file. You can also use the Java utility provided in this article.

Once you have the certificate file you import it into your truststore either by using the commandline utility, keytool, found in the jvm/jre/bin folder of your TDI installation, or by using the iKeyMan application linked in button bar at the top of the TDI Configuration Editor (CE).


If you haven't changed the default security setup then the truststore will be the testadmin.jks file found in the serverapi folder of your Solution Directory. The default password is 'administrator'.

Once the certificate is imported, the SSL connection will work.

And, as always, thanks to Jens Thomassen for his invaluable insight and guidance!