How to Fix “unable to find valid certification path to requested target” in Java – The Only 2025 Guide You’ll Ever Need

You are in the middle of a build, a database connection, or just trying to pull code from a corporate server, and Java throws this scary message in your face:

unable to find valid certification path to requested target

It stops Maven, breaks Gradle, freezes IntelliJ, crashes Jenkins jobs, and makes DBeaver refuse to connect.

Relax. This is the single most common Java SSL error on the planet, and it is 100% fixable in minutes once you know what’s really going on.

What the Error Actually Means (Explained Like You’re 10)

Imagine every secure website has a digital passport (called an SSL/TLS certificate).

Java has a big book of trusted passport issuers (the cacerts file inside your JDK).

When your program tries to visit a website, Java checks:

1. Does the passport look real?
2. Was it signed by someone in my trusted book?

If the answer is “no” or “I can’t find the full chain,” Java panics and shows you:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

That’s it. Nothing is broken in your code. Java is just being extra careful.

Why This Error Loves to Appear in 2025

Here are the top real-world reasons developers see it today:

1. Your company runs its own internal certificate authority (super common in banks, governments, big tech).
2. You sit behind a corporate HTTPS inspection proxy like Zscaler, Netskope, Symantec, Palo Alto, etc.
3. A server you use (Artifactory, Nexus, GitLab, internal API) renewed its certificate and now uses a new intermediate.
4. You upgraded from Java 11 → 17 → 21 → 23 and the new JDK ships a different cacerts file.
5. Let’s Encrypt or DigiCert changed their intermediate certificates (happens every few years).
6. You are on a new laptop or fresh Docker image that doesn’t have your company root yet.

The 5 Real Fixes (From Perfect to Emergency)

Fix 1: Add the Missing Certificate to Java’s Default Book (The Forever Fix)

This is the clean, correct way that every senior developer uses.

Step-by-step (Windows, Mac, Linux – same steps):

1. Open the failing website in Chrome or Edge.
2. Click the lock icon → Connection is secure → Certificate is valid.
3. Click “Certificate” → Details tab → “Copy to File…” → Next → Base-64 encoded X.509 (.CER) → save as company-cert.cer on your desktop.
   Faster way with one terminal command (copy-paste):

Bash

# Replace host.com with the real hostname

echo | openssl s_client -connect host.com:443 -servername host.com 2>/dev/null | openssl x509 -out company-cert.cer

If there are intermediate certificates, repeat and save each one separately.

3. Find where Java is installed:

Bash

java -XshowSettings:properties -version | grep java.home

4. Import the certificate (or certificates) – you will need admin/sudo for this one time:

Bash

# Linux / macOS

sudo keytool -importcert -trustcacerts -alias company-root -file company-cert.cer -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

# Windows (run Command Prompt as Administrator)

keytool -importcert -trustcacerts -alias company-root -file company-cert.cer -keystore “C:\Program Files\Java\jdk-21\lib\security\cacerts” -storepass changeit

5. Type “yes” when it asks “Trust this certificate?”
6. Restart IntelliJ, Android Studio, Jenkins agent, or whatever was failing.

You are now immune to this error until the certificate expires (usually 1–3 years).

Fix 2: Create Your Own Truststore File (The Team & CI/CD Winner)

Never touch the global cacerts file on shared servers or CI runners.

Make your own file once and copy it everywhere:

Bash

# Create a brand new truststore with your company root

keytool -importcert -alias company-ca -file company-root.cer -keystore my-company-truststore.jks -storepass MySecret2025 -noprompt

# Now use it everywhere:

Maven

Bash

mvn clean install \

  -Djavax.net.ssl.trustStore=my-company-truststore.jks \

  -Djavax.net.ssl.trustStorePassword=MySecret2025

Gradle

properties

# In gradle.properties

systemProp.javax.net.ssl.trustStore=my-company-truststore.jks

systemProp.javax.net.ssl.trustStorePassword=MySecret2025

Spring Boot / Any Java App

Bash

java -Djavax.net.ssl.trustStore=my-company-truststore.jks \

     -Djavax.net.ssl.trustStorePassword=MySecret2025 \

     -jar myapp.jar

Docker (the cleanest way)

dockerfile

COPY my-company-truststore.jks /app/

ENV JAVA_TOOL_OPTIONS=”-Djavax.net.ssl.trustStore=/app/my-company-truststore.jks -Djavax.net.ssl.trustStorePassword=MySecret2025″

This is the method used by every professional team in 2025.

Fix 3: Fix IntelliJ IDEA, Android Studio, and Eclipse Forever

IntelliJ sometimes ignores the system truststore.

Permanent fix inside IntelliJ (2024–2025):

1. File → Settings (Ctrl+Alt+S)
2. Type “Server Certificates” in the search box
3. Click the + button → choose your .cer or .pem files (add all of them)
4. Apply → OK → Restart IntelliJ

For Maven/Gradle inside IntelliJ¹:

Settings → Build → Build Tools → Maven → Runner

VM Options:

text

-Djavax.net.ssl.trustStore=C:\path\to\my-company-truststore.jks -Djavax.net.ssl.trustStorePassword=MySecret2025

Same steps work in Android Studio and Eclipse².

Fix 4: Corporate HTTPS Proxy – Zscaler, Netskope, BlueCoat (2025 Edition)

Your company watches all HTTPS traffic for security.

They install their own root certificate on your laptop, but NOT automatically into every JDK.

What to do:

1. Go to your internal IT portal → search “Zscaler Root Certificate” or “Proxy Root CA”.
2. Download the latest .cer or .pem file (they update it every 12–24 months).
3. Import it with Fix 1 or Fix 2 above.

Many companies now provide a script that does this automatically for all JDKs.

Fix 5: Emergency “Just Make It Work Now” Tricks (Local Only!)

Only for your personal laptop when you are stuck:

Maven one-liner

Bash

mvn clean install -Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true -Dmaven.wagon.http.ssl.ignore.validity.dates=true

Gradle one-liner

Bash

gradle build –no-daemon -Dorg.gradle.jvmargs=”-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true”

Never commit these flags!

Special Tools That Save Your Life in 2025

• InstallCert.java – tiny program that connects to any server and adds all missing certificates automatically. GitHub: search “InstallCert.java” – still works perfectly in 2025.
• mkcert – create perfect local certificates that Java trusts without any work.
• DBeaver → right-click connection → Edit Connection → Driver Properties → add two entries: trustStore → path to your file trustStorePassword → your password

FAQ – The Questions Every Developer Googles

Why did this error appear out of nowhere after years of working?

A server renewed its certificate with a new intermediate, or your company turned on HTTPS inspection overnight. It’s normal in big companies.

Is it safe to import certificates into cacerts?

Yes! Adding your official company root or a real public CA is completely safe and standard practice.

I don’t have admin rights on my work laptop. Can I fix it?

Yes – use Fix 2 (your own truststore file). No admin rights needed at all.

Will upgrading Java break it again?

Sometimes. New Java versions have updated cacerts. Just re-import once or keep using your custom truststore.

You Are Now Unbreakable

The error: unable to find valid certification path to requested target is Java protecting you from bad servers.

Fix it the right way once – by adding the missing certificate or using your own truststore – and you will save hundreds of hours over your career.

You now have every working solution for 2025, from personal laptops to massive CI/CD pipelines.

What gives you this error the most — Maven? Gradle? Jenkins³? IntelliJ? Drop your story below and help the next developer!

See also

• What is Testing in Zillexit Software – Complete Easy Guide 2025
• CRPF VPN Secure Remote Access – Full Step-by-Step Guide
• Turn Off Pop-up Blocker on iPhone – Simple 2025 Method

References & Further Reading

1. IBM official support page: https://www.ibm.com/support/pages/unable-find-valid-certification-path-requested-target ↩︎
2. Real-world “it suddenly broke” case: https://stackoverflow.com/questions/64977604/sudden-unable-to-find-valid-certification-path-to-requested-target ↩︎
3. Stack Overflow – The 2011 thread that still ranks #1 in 2025: https://stackoverflow.com/questions/9210514/unable-to-find-valid-certification-path-to-requested-target-error-even-after-ch ↩︎