Spring Boot with okta : Resolve Error message "PKIX path building failed

If you're trying to connect a Spring Boot application with okta from localhost, you may encounter the error message "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". This error occurs because the okta server's SSL certificate is not trusted by the Java Virtual Machine (JVM) running the Spring Boot application.

In this article, we will guide you through the steps to configure your JVM to trust the okta server's SSL certificate and resolve this error.

To resolve this error, follow these steps:

1. Download the SSL certificate from the okta server using a web browser
2. Import the okta SSL certificate into your Java keystore.
3. Update your Spring Boot application to use the new keystore that includes the okta SSL certificate.

Details:

Download the SSL certificate from the okta server

1. Use a web browser Open a web browser and navigate to the okta server URL.
2. Go to the ‘Security’ tab then Click ‘View certificate’ .
3. In the Certificate details window, go to the ‘Details’ tab and then Click ‘Export’
4. Make sure the file format is: ‘Base64-encoded ASCII, single certificate (*.pem, *.crt)’
5. Name the file okta.crt
6. Take this okta.crt file to security folder in Java Home Directory . For example : C:\Program Files\Amazon Corretto\jdk11.0.15_9\lib\security
7. Then execute below command:

keytool -import -alias okta -file okta.crt -keystore "C:/Program Files/Amazon Corretto/jdk11.0.15_9/lib/security/cacerts"        

It will prompt you to insert password . By default password is changeit

Write it.

Now Create an spring boot application with okta Configuration and configure your Spring Boot application to use this keystore file with the following settings in your application.yml file:

server:
  port: 8080
  ssl:
    enabled: true
    key-store: "file:/C:/Program Files/Amazon Corretto/jdk11.0.15_9/lib/security/cacerts"
    key-store-password: "changeit"
    key-store-type: "jks"
    key-alias: "okta"
okta:
  oauth2:
    issuer: https://yourdevserver.okta.com/oauth2/default
    audience: api://default
    client-id: yourclientid7
    client-secret: yoursecreidticwS8
    scopes: openid, email, profile, offline_access
         

Now run your spring boot project with necessary OktaOAuth2WebSecurity Configuration .It will connect with okta and run without error.

Note: There are many tutorials available on YouTube and GitHub for creating a Spring Boot project with Okta. You can follow any of them to get started. However, if you encounter the "PKIX path building failed" error while connecting to Okta from your Spring Boot application, follow the steps outlined in this article to resolve the issue. Our objective here is to provide you with a solution to overcome this specific error.

Note: If you get error like "keytool error: java.lang.Exception: Certificate not imported, alias <okta> already exists" then you can use different alias name or delete the existing alias from cacerts.

Use below command to delete alias:

keytool -delete -alias okta -keystore "C:/Program Files/Amazon Corretto/jdk11.0.15_9/lib/security/cacerts"        

Note: Check the validity of the SSL/TLS certificate of okta everytime. Make sure that the certificate presented by the server that is you downloaded is valid and has not expired. You can check the validity of the certificate by using a web browser. If you get Error message "PKIX path building failed again try the whole process again.