Print this page

Salesforce CalloutException - CertPathValidatorException

Knowledge Article Number 000005287

If you're getting the error message,"PKIX path validation failed: subject/issuer name chaining check failed" find out why and how to fix it.



The main reason for this error is that the endpoint is presenting a certificate chain that contains incorrect intermediaries during the SSL Handshake. The server is sending it's own certificate and signing chain, but one or more intermediate certificates are incorrect.

To fix the problem, the endpoint must present a chain where the next certificate's subject equals the current certificate's issuer.

A tool like OpenSSL can be used to validate whether the distinguished name (DN) of a certificate's issuer is equal the DN of the next certificate's subject, which must match for the chain to be valid.

If you want to see the certificate information by yourselves, use the below openssl command,

openssl s_client –showcerts –connect  hostname:port 

where "hostname:port" is your endpoint that you want to connect. 

The command will show the certificates as they are being sent.You can then check the list of certificates to verify if the certificate chain is properly installed. 

Please note that OpenSSL is a third party tool and does not come in scope of Salesforce support.

promote demote