Problem:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"


Solution:

This errors means that the identity of the database server that you are connecting to can't be verified by the client, and it is common when a self-signed certificate is used.


Assuming you are using Microsoft's JDBC driver, you have two options at this point: (A) either bypass the security check altogether (a quick but insecure workaround), or (B) configure the connection to trust this particular server’s certificate (more work but also more secure).


Option A:

As a quick workaround, you can bypass the security check if you trust the server. To do so, open the Properties tab for the connection and select the Driver Properties category. Set the driver property trustServerCertificate to true and connect:



Option B (simple scenario):

If you are running Microsoft Windows and the certificates have been generated by the system administrators (or the DBA) and they have pushed these certificates out to the client machines, then you can try to tell java to use the Microsoft Windows certificates. Open Tools->Tool Properties, choose General and add the following flag in the section called Java VM Properties:

-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

It should look like this:


Option B (advanced scenario):

If you are not running Microsoft Windows or you do not have the certificate in the Windows truststore, then you need to configure the database connection to trust the certificate. To do so:


1. Create a truststore containing the server certificate

  • Obtain the certificate used by the database server (in pem format)
  • Copy the default Java truststore (<Java Home>/lib/security/cacerts) to a suitable location
  • Import your server certificate to the truststore using the keytool utility (found in <Java Home>/bin)
keytool -importcert -alias mycert -file cert.pem -keystore /Users/me/mytruststore -storepass changeit

2. Configure the connection

  • trustStore=<path to your truststore>
  • trustStorePassword=<the password you chose above>
  • hostNameInCertificate=<Common Name (CN) in the server certificate>



For reference, see the following resources: