Hi @AnujSa2 ,
Java cannot establish a trust chain from your client to the server’s certificate, even after importing what you believe to be the correct certificate.
This usually happens due to one of the following:
1. Intermediate Certificates Missing
You may have imported only the leaf certificate (adobe_io.crt) but not the full certificate chain (i.e., root + intermediates).
Fix: Re-download the entire certificate chain from the Adobe API endpoint you're connecting to, then import each certificate in the chain into your keystore (starting from the root down to the intermediate(s), then the leaf if needed).
Use a browser or OpenSSL to download the full chain:
openssl s_client -connect <your-adobe-endpoint>:443 -showcerts
Save each -----BEGIN CERTIFICATE----- block as a separate .crt file and import them individually:
keytool -import -trustcacerts -keystore "C:\Program Files\Java\jdk-17\lib\security\cacerts" -storepass changeit -alias adobe-root -file root.crt
keytool -import -trustcacerts -keystore "C:\Program Files\Java\jdk-17\lib\security\cacerts" -storepass changeit -alias adobe-intermediate -file intermediate.crt
2. Wrong Certificate Format
Ensure that adobe_io.crt is in X.509 PEM format. If it is in DER, PKCS7, or another format, Java might not parse it correctly.
You can convert it using OpenSSL:
openssl x509 -inform DER -in adobe_io.crt -out adobe_io.pem
Then import adobe_io.pem.
3. Importing into the Wrong JDK or Keystore
Double-check that your application is using the same JDK whose cacerts file you are updating. If your app uses another JDK, that cacerts change won't be visible.
To verify which JDK is being used, run:
java -version
and ensure it matches your C:\Program Files\Java\jdk-17\... path.
4. Check with System Properties (Optional Quick Fix)
If you want to bypass the cacerts step temporarily, you can specify a truststore directly:
-Djavax.net.ssl.trustStore=path_to_custom_truststore.jks
-Djavax.net.ssl.trustStorePassword=changeit
