A certificate that Websphere does not trust

I have a web application that calls an SSL protected SOAP web service. (https://zzzzzzzzzzzz/xxxxx ).

The server sends two certificates (Root and Leaf), so I import two certificates using the property: com.ibm.websphere.ssl.retrieveLeafCert .

To enable ssl checking in websphere, I just add certificates to websphere:

SSL certificate and key management → key stores and certificate → NodeDefaultTrustStore → Subscriber certificates → Extract from port:

• host: hostname
• port: 443
• nickname: nickname

The problem is that webshphere does not trust the certificate and gives me this stack,

 used by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking `https://------------------------------` : com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------------------------------- is not trusted`; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.6.0] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:56) ~[na:1.6.0] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:39) ~[na:1.6.0] at java.lang.reflect.Constructor.newInstance(Constructor.java:527) ~[na:1.6.0] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1338) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1322) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:354) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:385) ~[cxf-rt-frontend-jaxws-2.7.4.jar:2.7.4] ... 100 common frames omitted `Caused by: javax.net.ssl.SSLHandshakeException`: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: `The certificate issued by CN=--------------------------------------------------------- is not trusted`; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.jsse2.oa(o.java:8) ~[na:6.0 build_20130515] at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:549) ~[na:6.0 build_20130515] at com.ibm.jsse2.kb.a(kb.java:355) ~[na:6.0 build_20130515] at com.ibm.jsse2.kb.a(kb.java:130) ~[na:6.0 build_20130515] at com.ibm.jsse2.lb.a(lb.java:135) ~[na:6.0 build_20130515] at com.ibm.jsse2.lb.a(lb.java:368) ~[na:6.0 build_20130515] at com.ibm.jsse2.kb.s(kb.java:442) ~[na:6.0 build_20130515] at com.ibm.jsse2.kb.a(kb.java:136) ~[na:6.0 build_20130515] at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:495) ~[na:6.0 build_20130515] at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223) ~[na:6.0 build_20130515] at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724) ~[na:6.0 build_20130515] at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81) ~[na:6.0 build_20130515] at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8) ~[na:6.0 build_20130515] at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20) ~[na:6.0 build_20130515] at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1043) ~[na:1.6.0] at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:85) ~[na:6.0 build_20130515] at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:168) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1282) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1233) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:195) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69) ~[cxf-api-2.7.4.jar:2.7.4] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1295) ~[cxf-rt-transports-http-2.7.4.jar:2.7.4] ... 110 common frames omitted `Caused by: com.ibm.jsse2.util.j: PKIX path building failed:` java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: T`he certificate issued by CN=-------------------------------------------- is not trusted`; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.jsse2.util.hb(h.java:39) ~[na:6.0 build_20130515] at com.ibm.jsse2.util.hb(h.java:21) ~[na:6.0 build_20130515] at com.ibm.jsse2.util.ga(g.java:1) ~[na:6.0 build_20130515] at com.ibm.jsse2.pc.a(pc.java:36) ~[na:6.0 build_20130515] at com.ibm.jsse2.pc.checkServerTrusted(pc.java:19) ~[na:6.0 build_20130515] at com.ibm.jsse2.pc.b(pc.java:51) ~[na:6.0 build_20130515] at com.ibm.jsse2.lb.a(lb.java:65) ~[na:6.0 build_20130515] ... 128 common frames omitted Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath. at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:411) ~[na:na] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258) ~[na:na] at com.ibm.jsse2.util.hb(h.java:107) ~[na:6.0 build_20130515] ... 134 common frames omitted Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=------------------------------------------------------- at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) ~[na:na] at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:178) ~[na:na] at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737) ~[na:na] at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649) ~[na:na] at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595) ~[na:na] at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:357) ~[na:na] ... 136 common frames omitted Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:298) ~[na:na] at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) ~[na:na] ... 141 common frames omitted 

The same code is checked in my local environement with a simple use of Installcert.java and runs my tests with -Djavax.net.ssl.trustStore = jssecacerts (jssecacerts is the file created by InstallCert.java).