SunCertPathBuilderException in PDI/Kettle

For executing an HTTPS request with a Java software like Kettle / PDI you need to provide a certificate for the domain the request is going to address. A possible error message for a request to using the “HTTP client” step from the “Lookup” section might look like this:

I’ll show you in this article how to deal with this issue on Windows.

Obtain the certificate


The easiest option is to visit the domain ( and click yourself through the dialogues starting from the little lock symbol next to the domain to the details page of the certificate in use. There you can export the certificate choosing X.509 (PEM) for the format. Store it f.x. on C: as ‘’.

Now let’s tell Java about it!

The certificate is added to the main keystore using the keytool program provided by your JRE Рsimply adjust the paths used in the following command so they fit your folder structure and execute it (with admin rights and without the newlines):

¬†To keep unauthorized individuals from tampering with your main keystore you have to give the password which is “changeit” in the likely case you didn’t change it yet.

Restart Kettle and that’s it already.