# javax.net.ssl.SSLException: 收到致命警报: certificate_unknown

- **ID:** `java/ssl-exception-untrusted-cert`
- **领域:** java
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 88%

## 根因

带有 certificate_unknown 的 SSLException 在 SSL/TLS 握手失败时发生，因为服务器的证书不被客户端信任，通常是由于信任库中缺少或无效的根 CA。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Java 8 | active | — | — |
| Java 11 | active | — | — |
| Java 17 | active | — | — |
| OpenJDK 11.0.18 | active | — | — |
| Apache Tomcat 9 | active | — | — |
| Spring Boot 2.7 | active | — | — |

## 解决方案

1. ```
   Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit
   ```
2. ```
   Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
   ```

## 无效尝试

- **** — The error is about trust, not cipher suite compatibility; disabling ECC may break other connections. (50% 失败率)
- **** — It opens the system to man-in-the-middle attacks; also, some security policies may reject such code. (95% 失败率)