Search

PKIX Path Issues when Configuring HTTPS/SSL for FME Flow

Liz Sanderson
Liz Sanderson
  • Updated

Symptom

Errors similar to those below are found in various FME Flow (formerly FME Server) or Tomcat log files.
  
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) 
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to findvalid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target


Cause

The certificate used for SSL has not been imported into the FME Flow cacerts truststore or is a self-signed certificate.


Resolution

Obtain a copy of the CER or CRT file and import it into the FME Server cacerts truststore.

  • Login to FME Flow using a web browser (e.g. Google Chrome, as shown below)
  • View the “Certificate Information”

Chrome not secure

  • Click the Certificate Details tab and "Export"

Export Cert

  • Save as a “Base64 encoded ASCII, single certificate (*.pem,*.crt)” to local disk (e.g. <certpath>\mycert.crt)

Export CRT

  • Using the Command Prompt (as an Administrator), change the directory to <FMEFlow>\Utilities\jre\bin
  • Enter the following command, making the appropriate changes to <FMEFlow>, <certpath> and the Alias value. If you wish to import all the certificates in the keystone into the trusted cacerts file you can remove the alias parameter:
keytool -import -trustcacerts -keystore "<FMEFlow>\Utilities\jre\lib\security\cacerts" -storepass changeit -noprompt -alias mycert -file "<certpath>\mycert.crt"
  • Restart FME Flow and try submitting a job.

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.