What causes PKIX path building failed in Java?

PKIX path building failed is caused by a missing intermediate or root certificate in the trust chain. Java cannot verify the certificate because the full chain from the leaf certificate to a trusted root CA is incomplete. The fix is to import the missing intermediate CA certificate into your JKS trust store using keytool.

How do I analyse a JKS keystore?

Upload your JKS keystore file to CertLens. It will instantly show every alias, the full certificate chain, expiry dates, and any trust or crypto issues — without needing to run keytool commands. Supports JKS, PKCS#12, PEM, and CRT formats.

How do I check if a TLS certificate is valid?

Enter any domain name in CertLens TLS scanner. It fetches the live certificate chain, validates trust, checks expiry, and identifies any missing intermediate certificates or weak cryptographic algorithms. Free, no account required.

What is the difference between JKS and PKCS12?

JKS (Java KeyStore) is a proprietary Java format deprecated in JDK 17+. PKCS12 is an industry-standard format that works with Java, OpenSSL, Windows, and macOS. Oracle recommends migrating from JKS to PKCS12 for all new applications.

Is CertLens free to use?

Yes, CertLens is completely free. No account is required to scan certificates, analyse keystores, or check live TLS endpoints. Certificate files are never stored or logged.

Certificate Intelligence Platform

Stop TLS Failures
Before They Hit Production

Detect certificate expiry, broken trust chains, and keystore misconfigurations in seconds. Built for engineers working with real-world infrastructure.

Scan Certificates Scan Live Domain →

✓ PEM · CRT · JKS · PKCS#12 · ✓ Live TLS endpoints · 🔒 Never stored

Common TLS Errors

Errors We Help You Fix

The cryptic Java stacktraces and OpenSSL errors that halt deployments — decoded and resolved.

⛓️

PKIX path building failed

Missing intermediate or root certificate in trust chain

🔗

unable to get local issuer certificate

Issuer not found in local trust store

🚫

certificate verify failed

Certificate rejected during handshake validation

🏷️

hostname mismatch

CN / SAN doesn't match the hostname being accessed

Features

Everything You Need to Debug TLS

Built beyond basic expiry checks — CertLens understands the full PKI stack.

🔗

Fix Trust Chain Issues

Instantly identify missing intermediates and root certificates. Get the exact commands to repair your chain.

🔐

Analyze Java Keystores

Upload JKS or PKCS#12 files. Inspect every alias, expiry, and chain inside your keystore.

🌐

Scan Live TLS Endpoints

Point CertLens at any domain. Get a full chain analysis without touching your server config.

📅

Detect Expiry Early

See exact days remaining for every certificate in your chain. Get colour-coded risk ratings.

⚠️

Risk & Security Insights

Score your certificate configuration against security best practices. Know your real exposure.

📄

Export Audit Reports

Download full PDF reports of your certificate scan. Share with your team or auditors.

Why CertLens

Built Different. For Real Infrastructure.

Most tools just check if a cert is expired. CertLens tells you why it fails and exactly how to fix it.

Built for Real Infrastructure

Designed specifically for banking, SWIFT, and enterprise environments where a certificate failure means a production outage — not just a browser warning.

BankingSWIFTEnterprise

Beyond Expiry Checks

Understands full trust chains, keystore structures, and the real reason TLS handshakes fail — not just surface-level certificate dates.

Trust ChainsJKS / P12Handshake

Explain, Not Just Scan

Every finding comes with a plain-English WHY, IMPACT, and FIX. Know exactly what went wrong and the precise commands to resolve it.

Root CauseFix CommandsAudit Trail

Learn

Learn PKI the Practical Way

Step-by-step guides to troubleshoot certificate issues across real environments. No theory — just the commands and concepts engineers actually need.

📘

Understanding Trust Chains

Root, intermediate, and leaf — how they connect

☕

Java Keystore Debugging

keytool commands for JKS and PKCS#12

🔧

OpenSSL Crash Course

The commands you'll actually use in production

🏦

SWIFT & Banking PKI

Certificate requirements for financial infrastructure

terminal

# Inspect a certificate chain
openssl s_client -connect example.com:443 \
  -showcerts 2>/dev/null

# Verify a JKS keystore
keytool -list -v \
  -keystore server.jks \
  -storepass changeit

# Check cert expiry
openssl x509 -enddate -noout \
  -in certificate.pem

Get Started

Scan Your Certificates Now

Upload files or point us at a live domain. Results in seconds.

📁

Upload Certificates / Keystore

PEM, CRT, JKS, PKCS#12 supported

🌐

Scan Live TLS Domain

Fetch the live certificate chain from any host

Free to Use

Fix Certificate Issues Before They Impact Production

No account needed. No data stored. Just answers.