Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
438 questions
Self-signed CER
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 44%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Mark Pope
45
Reputation points
I am deploying a container application that consumes MQTT messages from Event Grid and publishes to other MQTT brokers. In testing Event Grid, I created self-signed certs and subscribed to Event Grid using MQTT Explorer. I am able to publish and consume messages with this tool. In building my container app in Java I can connect to the MQTT broker using the self-signed certs but cannot connect to the Event Grid. I isolated my code to a junit test in VSCode, changing the AzureCliCredentialBuilder class instead of DefaultAzureCredentialBuilder and get the same error. The error is
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've continued tweaking the junit test with no success, I've use InstallCert to add EventGrid certs to my JVM truststore, tried to create a custom trust store, ensured one installed JDK, with no success. I suspect Java is more secure and wants the entire chain while MQTT Explorer and the MQTT broker are more lenient.
I have the intermediate CA certificate loaded in Event Grid MQTT Broker and clients authenticate setting is thumbprint. Do I need a trusted root signed CA Cert? Or am I missing something?
Azure Event Grid
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 22%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Shireesha Eeraboina 2,815 Reputation points Microsoft External Staff2025-04-30T03:48:23.91+00:00 Hi Mark Pope,
It seems like you are facing an issue with connecting to Event Grid from your Java container application due to certificate validation errors. The error message you provided indicates that there is an issue with validating the certificate chain.
In Java, when establishing an SSL connection, the certificate presented by the server needs to be validated against the truststore to ensure it is trusted. If the certificate chain presented by the server is not trusted by the JVM's truststore, you may encounter the "PKIX path building failed" error.
Here are some steps you can take to resolve this issue:
- Make sure that the entire certificate chain, including the root CA certificate, is present in the truststore that your Java application is using. If any intermediate or root CA certificates are missing, the certificate validation will fail.
- While self-signed certificates can work in some scenarios, using a trusted root signed CA certificate is recommended for production environments. Ensure that the root CA certificate used to sign the server certificate is trusted by the JVM.
- Since you mentioned that the clients authenticate using thumbprint, ensure that the thumbprint authentication settings are correctly configured in your Java application.
- Double-check that you have correctly configured your Java application to use the custom truststore where you added the necessary certificates.
- You can enable SSL debugging in Java to get more detailed information about the SSL handshake process. This can help you identify where the certificate validation is failing.
To help you better understand, kindly refer to the documentations below :
https://learn.microsoft.com/en-us/azure/event-grid/mqtt-client-certificate-authentication
By ensuring that the entire certificate chain is present in the truststore, using a trusted root signed CA certificate, and verifying your truststore configuration, you should be able to establish a secure connection to Event Grid from your Java container application.
Sign in to comment
Sign in to answer