Problem Description

You received the error, "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found".

Cause

This error indicates your application does not trust the root CA (Certifying Authority) and/or the intermediate CAs of the CyberSource SSL server certificate

Resolution

To resolve this issue, you must download the root and intermediate certificates and import them into the Java KeyStore used by your application.

Note: These instructions assume you are using Internet Explorer as your web browser.

Download the Root and Intermediate Certificates

There are 3 certificates that need to be downloaded:

• Entrust,
• Entrust Root Certification Authority,
• Entrust Certification Authority - L1E.

1. Navigate to the host your application is trying to communicate with:

2. Select your .p12 key when prompted.

If you haven't imported your .p12 key into Internet Explorer, go to Tools > Internet Options > Content > Certificates > Import > then import your .p12 key.

Root certificate (Entrust.net Secure Server Certification Authority)

1. Click Next > Finish.
2. specify a filename
3. Click View Certificate > Details > Copy to File > next > next >
4. Click on (Select) Entrust
5. Click on File > Properties > Certificates > Certification Path

First intermediate certificate (Entrust Root Certification Authority)

1. Click File > Properties > Certificates > certification path
2. select Entrust Root Certification Authority
3. Click View Certificate > Details > Copy to File > next > next
4. specify a filename
5. Click next > and finish.

Second intermediate certificate (Entrust Certification Authority - L1E)

1. Click on File > Properties > Certificates > certification path
2. select Entrust Certification Authority - L1E > View Certificate > Details > Copy to File > next > next
3. Specify a filename
4. Click next > and finish.

3. Import the certificate into your keystore. Below are *definitions followed by instructions.
    

   *cybsCert	Any alias of your choice. Note that aliases are unique in the keystore, so you must choose a different alias for each certificate. Suggested aliases: CybsEntrustRoot, CybsEntrustIntermediate, CybsEntrustL1E.
   *JAVA_HOME	Path to your Java installation
   *PATH_TO_MERCHANT_KEYSTORE	Path to the keystore that you generated during the batch upload implementation
   *MERCHANT_KEYSTORE	Name of the keystore that you generated during the batch upload implementation
   *cybsCert.cer	Certificate you exported from step 2
   *keytool	Utility included in the Java SDK
   *cacerts	Default Java keystore

For the Simple Order or SOAP Toolkit APIs

For Batch Upload

4. Enter password for keystore. The default password is 'changeit' for cacerts (Simple Order and SOAP Toolkit APIs). Note that if you've changed the default password of cacerts then use that password instead of 'changeit'. For the batch file upload, the password is your merchant ID.
5. Repeat steps 3 and 4 for the remaining two certificates.

You have successfully imported the certificates. If the error persists, you have updated the wrong keystore (i.e. cacerts file). Execute a 'java -version' to verify you've updated the keystore for the correct version of java you're currently running.

Many applications use a keystore different than the default cacerts file. For example, the Cybersource Batch Upload API uses a self-generated keystore following the format of .jks. The location of this keystore is specified in the properties file for the batch upload solution. Make sure this keystore is updated if you're implementing the batch upload solution.