Introduction

Java SSL certificate validation problems usually mean the JVM completed the network path but rejected the certificate presented by the remote endpoint. That can happen because the truststore is missing the issuer, an intermediate certificate is absent, hostname verification failed, or the JVM is using a different truststore than you expect.

Symptoms

  • Java clients fail with SSL handshake or certificate path errors
  • Browsers may trust the same endpoint while the JVM does not
  • The issue appears after certificate rotation or environment changes
  • One JVM-based service fails while another host still works

Common Causes

  • The JVM truststore does not contain the issuing CA or intermediate chain
  • Hostname verification fails because SAN entries do not match the requested name
  • The process uses a different truststore than the operator expects
  • A proxy or TLS interception layer presents a certificate the JVM does not trust

Step-by-Step Fix

  1. 1.Inspect the exact Java SSL error
  2. 2.Certificate path, hostname, and truststore errors point to different fixes.
text
javax.net.ssl.SSLHandshakeException
sun.security.validator.ValidatorException
PKIX path building failed
  1. 1.Check the live certificate chain
  2. 2.Use OpenSSL to confirm what the remote endpoint is actually presenting.
bash
openssl s_client -connect example.com:443 -servername example.com -showcerts
  1. 1.Verify the JVM truststore path and contents
  2. 2.Confirm the process is using the truststore you think it is.
bash
keytool -list -keystore "$JAVA_HOME/lib/security/cacerts"
  1. 1.Retest with explicit truststore settings
  2. 2.Override truststore settings temporarily to prove whether the issue is trust material or something else.
bash
java -Djavax.net.ssl.trustStore=/path/to/cacerts \
     -Djavax.net.ssl.trustStorePassword=changeit \
     -jar app.jar

Prevention

  • Track JVM truststore ownership per service and environment
  • Validate full certificate chains after renewals, not just leaf certs
  • Keep hostname verification expectations explicit in service config
  • Test Java clients directly after proxy and certificate changes