Client CERTIFICATE UNKNOWN

The client TLS trace has reported

Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
“throwable” : { sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is because the server sent down its certificate as part of the ServerHello handshake, but the client was not able to  verify it.

For example, for the certificate sent from the server

"certificate" : {
  "version" : "v3",
  "serial number" : "1A",
  "signature algorithm": "SHA256withRSA",
  "issuer" : "CN=TEMP4Certification Authority, OU=TEST, O=TEMP",
  "not before" : "2020-12-17 24:00:00.000 GMT",
  "not after" : "2021-12-17 23:59:59.000 GMT",
  "subject" : "CN=SERVER, OU=SSS, O=ZZZZ",
  "subject public key" : "RSA",

Reasons could include

  • The issuer CN=TEMP4Certification Authority, OU=TEST, O=TEMP is not in the client’s trust store.
  • There is a CN=TEMP4Certification Authority, OU=TEST, O=TEMP in the client’s trust store but it is different to the server’s version.   In my case the CA information was not passed down with the certificate  Display the CA information from the client trust store, and compare it with the certificate information in the server.  
  • The certificate algorithm has been disabled on the client.  For example it is too weak
  • The subject public key algorithm is disabled on the client.  The algorithm or key strength may not be acceptable
  • Elliptic Curves have names.   These names can be disabled.
  • If the certificate is self signed, then check the details to make sure it is the same certificate.  If the certificate on the server has been recreated, it may not work with an old copy on the client.
  • The name is not exactly the same, for example case matters.
  • The certificate dates may not be valid – it may have expired.
  • You may have more than one entry with the same DN, but a different alias.

On distributed you can use keytool command to display the trust store.

keytool -list -v -keystore trust.jks -storetype jks -storepass … 

For me, I needed to find Owner: CN=TEMP4Certification Authority, OU=TEST, O=TEMP