Problem with Java keystore and certificates (unable to find valid cert path
Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception
"Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the <java_home>/jre/lib/security/cacerts and <java_home>/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.
If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.
One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
I use ip 1.1.1.1, import self signed certificate, authenticates successfully
login with ip 2.2.2.2 import self signed certificate, FAILS
login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates
Also, I am using java 1.5.0_03.
Any help is greatly appreciated as I've been trying to figure this out for over a week now.
Thanks