Microsoft graph API - which certificates are required?

Cristina Hategan 6 Reputation points
2021-04-21T07:52:52.773+00:00

Hello!

I've been working on an integration with the Microsoft Graph API, on a Java application, running on a wildfly server and most of the times, when trying to retrieve the access token, I receive the following certificates error:

sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target,
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The steps I follow for authorization are:

  1. The authorization URL (login.microsoftonline.com/common/oauth2/v2.0/authorize) - This one works, and receive the authorization code
  2. The token URL (login.microsoftonline.com/common/oauth2/v2.0/token) - This one will throw the error related to certificates.
  3. In some cases, for which I did not find a pattern, the authorization and retrieving the access token works, but I will receive the certificates error when retrieving a new access token by the refresh token.

In some cases, the authorization flow works without any errors, and of course, I can also use other services provided by the API.

I've tried two ways for adding the certificates to the Java truststore:

  1. Made a call to the outside URLs: login.microsoftonline.com and graph.microsoft.com and requested the public key, for example:
    openssl s_client -connect login.microsoftonline.com:443 -showcerts -servername "login.microsoftonline.com" |openssl x509 -outform PEM
    Then I grabbed the key that was served and saved it into a .pem file locally. Then I imported the PEM into the java truststore, using keytool:
    keytool -importcert -file loginmicrosoftonline.pem -keystore truststore.jks -alias "loginmicrosoftonline"
  2. Took the certificates from chrome - click on site icon left to address in address bar, select "Certificate" -> "Details" -> "Copy to file.." and save in format "Der-encoded binary, single certificate". This was from the following URLs: graph.microsoft.com/v1.0/ and login.microsoftonline.com. I've imported them using keytool.

My question is: what am I missing here? Is there another way I should handle the certificates?

Looking forward to hearing your answers! Thank you!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,576 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kleimert Pekka (SEBT) 1 Reputation point
    2021-04-28T11:28:00.867+00:00

    I have the exact same problem. I do several https calls to external systems requiring cert to be imported but its only when I want to fetch the oauth2 token I got the PKIX error. But the error only occurs when running in docker container. When running outside of container with same certificates installed it seems to be working.

  2. Coetzee, Theunis, Vodacom (External) 1 Reputation point
    2022-05-11T13:17:53.247+00:00

    Hi you can export the correct certificate from this link, by using method 2 you mentioned:

    https://graph.microsoft.com/.default

    I had the exact same issue as you.