Issue:
- If you are not able to access resources on https://data.pdok.nl from your Java application it is probably because of your Java lacking some governmental certificates.
- If you see something like this:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
This is also because of the lacking certificates.
Background:
The Dutch government, as well as Kadaster, use some custom security certificates. It is likely that the version of Java you use might lack those certificates. The figure bellow presents the list of those certificates:
Fix:
It is not very difficult to fix this problem. The only thing you need is to add the certificates to your Java keystore.
On windows, the certificates are stored in the file “cacerts” located in
C:\Program Files\Java\YOUR_JAVA_VERSION\jre\lib\security
Therefore, you need to add the lacking certificates to this file.
Follow the steps bellow to achieve this:
-
Download InstallCert/InstallCert.java at master · escline/InstallCert · GitHub This is a command line tool with the needed functionality
-
Copy the downloaded InstallCert.java into the folder with the key store - C:\Program Files\Java\YOUR_JAVA_VERSION\jre\lib\security
-
Run your CMD as administrator by typing “CMD” in the search line of the Start menu. Do a right click on the icon of CMD to run it as an administrator.
-
Point your CMD to the folder with the keystore by typing “cd C:\Program Files\Java\YOUR_JAVA_VERSION\jre\lib\security”, then press Enter.
-
Now you are ready to compile InstallCert.java and run it. Type in your CMD “javac InstallCert.java” and press Enter
-
Now you are going to access the server, and retrieve the certificates. Type “java InstallCert data.pdok.nl” and press Enter. You will see something like this:
-
Press Enter to add the certificates. Now the certificates are saved locally as “data.pdok.nl-1”
-
Run the following command to extract certificate from created jssecacerts keystore:
keytool -exportcert -alias data.pdok.nl-1 -keystore jssecacerts -storepass changeit -file data.pdok.nl.cer
- Now, run another command to import the certificates into the system keystore:
keytool -importcert -alias data.pdok.nl –keystore cacerts -storepass changeit -file data.pdok.nl.cer
- You will receive something like this:
C:\Program Files\Java\jdk1.8.0_92\jre\lib\security keytool -importcert -alias data.pdok.nl –keystore cacerts -storepass changeit -file data.pdok.nl.cer
Owner: O=Woot Inc, C=US, ST=Texas, L=Carrollton, CN=*.woot.com
Issuer: CN=SecureTrust CA, O=SecureTrust Corporation, C=US
<…>
Trust this certificate? [no]:
yes
Certificate was added to keystore
- Restart the computer to enable the changes.