Loading
Salesforce から送信されるメールは、承認済ドメインからのみとなります続きを読む

PKIX Path Building Failed SSL Handshake Error When Making Server-Side Calls in B2C Commerce

公開日: Feb 16, 2026
説明

When making a request from the backend (i.e. from a cartridge), you may encounter the error below that indicates that the destination server's TLS certificate was signed by a CA certificate not present in the Java trusted keystore:

Wrapped javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

解決策

Resolution

To resolve this problem, import the root TLS/SSL certificate in Business Manager under Administration | Operations | Private Keys and Certificates.

Determine the Certificate(s) Needed

Import the Certificate(s)

  • Log into Business Manager
  • Go to Administration | Operations | Private Keys and Certificates
  • Import the certificate:
    • Click Import in the top right
    • Click Select and upload a certificate
    • It is HIGHLY RECOMMENDED to keep the certificate name as the alias, e.g. "Sectigo Public Server Authentication Root R46"
    • Click Save
その他のリソース

Sample openssl command:

hostname="example.com"; openssl s_client -connect "$hostname:443" -servername "$hostname" </dev/null 2>/dev/null | awk '/Certificate chain/,/---/'

Sample output:

Certificate chain
 0 s:CN = *.example.com
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 15 00:00:00 2025 GMT; NotAfter: Jul 29 23:59:59 2026 GMT
 1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 2036 GMT

In this case the root certificate is Sectigo Public Server Authentication Root R46 and there's one intermediate, Sectigo Public Server Authentication CA DV R36.

The result for the older Sectigo certificates will look like:

Certificate chain
0 s:CN = *.example.com
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Jun  3 00:00:00 2025 GMT; NotAfter: Jul  4 23:59:59 2026 GMT
 1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication CA DV R36
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 2036 GMT
 2 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server Authentication Root R46
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Jan 18 23:59:59 2038 GMT
 3 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT


ナレッジ記事番号

005132043

 
読み込み中
Salesforce Help | Article