@midee
Not a lot of details in your question here, but the exception:
SunCertPathBuilderException: unable to find valid certification path to requested target
is telling you that the trust could not be determined in the TLS handshake that occurred between client and server.
Essentially this means that yoru truststore did not contain all the necessary TrustedCertEntries.
The complete trust chain must exist in the truststore.
Lets say you have Certificate "cert-X" signed by Certificate Authority (CA) "CA-A".
Owner: CN=cert-X, OU=test
Issuer: CN=CA-A, OU=CA-intermediate
Then that CA "CA-A" was signed by another CA "CA-root"
Owner: CN=CA-A, OU=CA-intermediate
Issuer: CN=CA-root, OU=CA-root
Then the CA "CA-root" is signed by itself:
Owner: CN=CA-root, OU=CA-root
Issuer: CN=CA-root, OU=CA-root
So in order to trust the certificate CN=cert-X, OU=test, the truststore would need to contain the complete trust chain meaning it would need to have a TrustedCertEntry for both "CA-A" and "CA-root"
There may even be more CAs in that trust chain. You need every public cert for each ca all the way to the root CA (owner and issuer the same) to have complete trust chain.
A mutual TLS handshake would require trust in both directions.
Clients certificate must be trusted by server and server's certificate must be trusted by client.
In a 1-way TLS handshake you only need trust in one direction.
Client must be able to trust server's certificate only since client would not be sending a certificate to the server.
If you found this response addressed yoru query, please take a moment to login and click "Accept as Solution".
Thank you,
Matt
