# javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

- **ID:** `kafka/ssl-certificate-verification-failed`
- **Domain:** kafka
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 93%

## Root Cause

The Kafka client cannot verify the broker's SSL certificate because the CA certificate is missing from the truststore.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| 2.8.0 | active | — | — |
| 3.0.0 | active | — | — |
| 3.4.0 | active | — | — |

## Workarounds

1. **Import the broker's CA certificate into the client's truststore:
keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt
Then configure the client with ssl.truststore.location and ssl.truststore.password.** (95% success)
   ```
   Import the broker's CA certificate into the client's truststore:
keytool -import -trustcacerts -alias broker-ca -file ca.crt -keystore client.truststore.jks -storepass changeit -noprompt
Then configure the client with ssl.truststore.location and ssl.truststore.password.
   ```
2. **If using Java, set the truststore globally via JVM properties:
-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit** (90% success)
   ```
   If using Java, set the truststore globally via JVM properties:
-Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
   ```

## Dead Ends

- **** — Setting ssl.endpoint.identification.algorithm to empty disables hostname verification but does not fix the missing certificate chain. (70% fail)
- **** — Restarting the client or broker does not install missing CA certificates. (95% fail)