Share via

Self-signed CER

Mark Pope 70 Reputation points
2025-04-29T23:39:45.4766667+00:00

I am deploying a container application that consumes MQTT messages from Event Grid and publishes to other MQTT brokers. In testing Event Grid, I created self-signed certs and subscribed to Event Grid using MQTT Explorer. I am able to publish and consume messages with this tool. In building my container app in Java I can connect to the MQTT broker using the self-signed certs but cannot connect to the Event Grid. I isolated my code to a junit test in VSCode, changing the AzureCliCredentialBuilder class instead of DefaultAzureCredentialBuilder and get the same error. The error is

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I've continued tweaking the junit test with no success, I've use InstallCert to add EventGrid certs to my JVM truststore, tried to create a custom trust store, ensured one installed JDK, with no success. I suspect Java is more secure and wants the entire chain while MQTT Explorer and the MQTT broker are more lenient.

I have the intermediate CA certificate loaded in Event Grid MQTT Broker and clients authenticate setting is thumbprint. Do I need a trusted root signed CA Cert? Or am I missing something?

Azure Event Grid
Azure Event Grid

An Azure event routing service designed for high availability, consistent performance, and dynamic scale.

Answer accepted by question author

Sander van de Velde | MVP 37,066 Reputation points MVP
2025-04-30T10:42:44.0933333+00:00

Hello @Mark Pope,

welcome to this moderated Azure community forum.

Although I'm not an expert on certificates, I was able to connect several devices and services to the EventGrid Namespace MQTT broker.

Please check out this blog post with several samples on how to generate certificates and connect clients.

Check the section 'What about using root or intermediate certs for authentication?' regarding (self-signed) certificates I was able to use with a root/intermediate scenario.

Microsoft provides sample applications/code here although Java is not part of this. But, eventually every MQTT client should be able to work if it supports certificates as client authentication.

If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. All community members with similar issues will benefit by doing so. Your contribution is highly appreciated.

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-04-30T03:48:23.91+00:00

    Hi Mark Pope,

    It seems like you are facing an issue with connecting to Event Grid from your Java container application due to certificate validation errors. The error message you provided indicates that there is an issue with validating the certificate chain.

    In Java, when establishing an SSL connection, the certificate presented by the server needs to be validated against the truststore to ensure it is trusted. If the certificate chain presented by the server is not trusted by the JVM's truststore, you may encounter the "PKIX path building failed" error.

    Here are some steps you can take to resolve this issue:

    • Make sure that the entire certificate chain, including the root CA certificate, is present in the truststore that your Java application is using. If any intermediate or root CA certificates are missing, the certificate validation will fail.
    • While self-signed certificates can work in some scenarios, using a trusted root signed CA certificate is recommended for production environments. Ensure that the root CA certificate used to sign the server certificate is trusted by the JVM.
    • Since you mentioned that the clients authenticate using thumbprint, ensure that the thumbprint authentication settings are correctly configured in your Java application.
    • Double-check that you have correctly configured your Java application to use the custom truststore where you added the necessary certificates.
    • You can enable SSL debugging in Java to get more detailed information about the SSL handshake process. This can help you identify where the certificate validation is failing.

    To help you better understand, kindly refer to the documentations below :

    https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ

    https://learn.microsoft.com/en-us/answers/questions/2125243/how-to-use-a-ca-signed-certificate-in-event-grid-n

    https://learn.microsoft.com/en-us/azure/event-grid/mqtt-client-certificate-authentication

    By ensuring that the entire certificate chain is present in the truststore, using a trusted root signed CA certificate, and verifying your truststore configuration, you should be able to establish a secure connection to Event Grid from your Java container application.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.