Salesforce Platform: Private Connect API Certificate Error Resolution

Key Definitions :

• PKIX (Public Key Infrastructure X.509): certificate validation standard
• SSL/TLS (Secure Sockets Layer/Transport Layer Security): encryption protocols
• API (Application Programming Interface)
• Private Connect: Salesforce feature for secure private network connectivity
• CA (Certificate Authority): A trusted third-party entity that issues digital certificates. 

Error Details : 

While making a callout to the private link API (Application Programming Interface), users/customers  may encounter the following exceptions:

System.CalloutException: PKIX (Public Key Infrastructure X.509) path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

OR

System.HttpRequest retrying request in response to handshake failure: 
PKIX (Public Key Infrastructure X.509) path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target

Root Cause :

This error occurs when salesforce using the “HTTPS” protocol to communicate with AWS Private Connection but our domain name/CDN doesn’t have any Salesforce Trusted CA(Certificate Authorities) certificate installed on the server. By the definition of “HTTPS” protocol, To use HTTPS with your domain name, you need an SSL (Secure Sockets Layer) or TLS (Transport Layer Security) certificate.

We need to make sure that the certificate installed on the server is signed by the Salesorce trusted CA(Certificate Authorities). To check the salesforce trusted CA(Certificate Authorities) list you can hit the below URL after logging into your salesforce.

https://<Your MyDomain>/cacerts.jsp

NOTE: Your web host (Web Hosting Provider) may offer HTTPS security but Salesforce only trusts the above listed CA(Certificate Authorities).