Fix PKIX and SSL configuration issues in AEM Forms
AEM Forms fails to communicate over SSL due to missing certificates, incorrect keystore configuration, or misconfigured SSL ports. Fix the issue by validating certificate chains, updating the JVM truststore, and correcting SSL configuration in JBoss or WebSphere.
Description description
Environment
- AEM Forms (JEE and OSGi)
- JBoss
- WebSphere
- Adobe Managed Services (AMS)
- on‑prem environments
Issue/Symptoms
javax.net.ssl.SSLHandshakeException: PKIXpath building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetjava.sql.SQLRecoverableException: IO Error PKIXpath building failed.- JBoss EJB invocation failing with SSL disabled or incomplete configuration:
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false - AEM startup failures where SSL configuration wizard requests keystore name/password and cannot proceed.
Resolution resolution
To resolve this issue, follow these steps:
-
Review logs such as
standalone/log/server.logorSystemOut.logto identify SSL error signatures like PKIX failures, SSLHandshakeException, or missing keystore password. -
Confirm the error references certificate trust or keystore loading issues.
-
Extract the server certificate and its full chain, including server, intermediate, and root CA certificates, and ensure the certificate matches the hostname observed in logs.
-
Import missing certificates into the JVM truststore at
JAVA_HOME/lib/security/cacertsusing keytool and verify installation by listing the alias. Ensure the correct keystore path and password are used.keytool -importcert -alias <alias> -file <certfile.pem> -keystore <JAVA_HOME>/lib/security/cacerts -
Restart JBoss or WebSphere to reload the truststore and verify that SSL errors no longer appear during startup.
-
Re-run the failing operation such as database connection or HTTPS call.
-
If the SSL configuration wizard requests keystore inputs and the password is unknown, create a new keystore by providing a new file name, keystore password, and key password.
-
Verify the keystore file exists in the configuration directory.
-
Validate the JBoss HTTPS listener configuration in
standalone.xmlordomain.xml. -
Ensure the SSLRealm and HTTPS listener exist and load correctly without errors.
-
For database-related SSL errors, especially with SQL Server using
encrypt=true;trustServerCertificate=false, import the database certificate into the truststore or settrustServerCertificate=truetemporarily. -
Verify the datasource test succeeds.
-
Check EJB SSL configuration if errors relate to port 8443.
-
Ensure SSL is enabled and configured correctly for EJB traffic, and verify that invocation errors no longer occur.
-
Re-test the original failing operation and confirm logs do not contain SSLHandshakeException or related errors.
If issues persist, perform deeper validation by comparing certificates using openssl and verifying truststore entries.