# javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

- **ID:** `java/ssl-exception-untrusted-cert`
- **Domain:** java
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

SSLException with certificate_unknown occurs when the SSL/TLS handshake fails because the server's certificate is not trusted by the client, often due to a missing or invalid root CA in the truststore.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Java 8 | active | — | — |
| Java 11 | active | — | — |
| Java 17 | active | — | — |
| OpenJDK 11.0.18 | active | — | — |
| Apache Tomcat 9 | active | — | — |
| Spring Boot 2.7 | active | — | — |

## Workarounds

1. **Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit** (90% success)
   ```
   Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit
   ```
2. **Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit** (85% success)
   ```
   Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
   ```

## Dead Ends

- **** — The error is about trust, not cipher suite compatibility; disabling ECC may break other connections. (50% fail)
- **** — It opens the system to man-in-the-middle attacks; also, some security policies may reject such code. (95% fail)