How to Fix PKIX path building failed in Java

What does the error actually mean?

When Java throws this error, it means the SSL/TLS library tried to build a trust path from the server's certificate up to a trusted root CA — and failed. Java couldn't verify that the certificate is trusted.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
  unable to find valid certification path to requested target

The key phrase is "unable to find valid certification path". Java's certificate validator follows a chain: your server certificate was signed by an intermediate CA, which was signed by a root CA. If any link in that chain is missing from Java's trust store, the whole chain fails — even if the certificate itself is perfectly valid.

Why does it happen?

There are four root causes, in order of frequency:

Fix it — JKS Keystore

If your application uses a JKS keystore (.jks file), the fix is to import the missing intermediate and root certificates into the trust store.

Step 1 — Identify what's missing

First, inspect your keystore to see what certificates are currently present:

keytool -list -v -keystore your-truststore.jks -storepass changeit

Look at the Owner and Issuer fields. If the issuer of your server certificate isn't present as a trusted entry, that's your missing link.

Step 2 — Get the missing certificate

You can download it from the server directly:

openssl s_client -connect your-server.com:443 -showcerts 2>/dev/null \
  | openssl x509 -outform PEM > intermediate.pem

Or fetch the full chain and save each cert separately:

openssl s_client -connect your-server.com:443 -showcerts 2>/dev/null \
  | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ print > "cert" NR ".pem" }'

Step 3 — Import into your trust store

# Import intermediate CA
keytool -importcert -alias intermediate-ca \
  -file intermediate.pem \
  -keystore your-truststore.jks \
  -storepass changeit

# Import root CA
keytool -importcert -alias root-ca \
  -file root.pem \
  -keystore your-truststore.jks \
  -storepass changeit

Step 4 — Verify the chain is complete

keytool -list -v -keystore your-truststore.jks -storepass changeit | grep "Owner\|Issuer"

Fix it — PKCS#12

If you're using a .p12 or .pfx file, you need to rebuild it to include the full chain.

# Rebuild PKCS12 with full chain included
openssl pkcs12 -export \
  -in server.crt \
  -inkey server.key \
  -certfile intermediate.pem \
  -out server-with-chain.p12 \
  -name "server-cert" \
  -passout pass:yourpassword

The -certfile flag includes the intermediate (and optionally root) CA alongside the server certificate in the bundle.

Fix it — Live TLS endpoint

If the error is coming from a live server rather than a local keystore, the server itself is not sending the intermediate certificate during the TLS handshake.

Verify what the server is actually sending:

openssl s_client -connect your-server.com:443 -showcerts 2>/dev/null

Count the certificates in the output. If you only see one (BEGIN CERTIFICATE appears once), the server is not sending the intermediate. The fix is server-side — update your web server config to include the full chain file.

ssl_certificate /etc/ssl/fullchain.pem;
# fullchain.pem = leaf + intermediate

SSLCertificateFile /etc/ssl/server.crt
SSLCertificateChainFile /etc/ssl/intermediate.crt

certificateChainFile=
  "/etc/ssl/intermediate.pem"

Diagnose it in seconds with CertLens

Instead of running multiple OpenSSL commands and reading raw output, you can upload your keystore or enter your domain in CertLens and get a visual chain diagram immediately showing exactly which certificate is missing and why the chain fails.

Preventing it in production

This error almost always appears at the worst time — during a deployment, before a go-live, or when a certificate is renewed. Here's how to prevent it: