Unable to RDP to a device - PKIX path validation failed in Java logs

Last Modified

Mon Nov 30 16:23 GMT 2020

Description

RDP connection fails and the java connector log shows "PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSServer check failed: SHA1 used with certificate:"

This error can appear when the N-able N-central server has a SSL certificate and that certificate is SHA1

Environment

  • N-able N-central
  • Java 8 Update 141 and above

Solution


To Verify the problem:
  1. Verify the SSL certificate used on the server, but checking against https://www.digicert.com/help/
  2. If you see "Signature algorithm = SHA1 + RSA (deprecated)", your server has a SHA1 SSL certificate. These are no longer trusted by many major tech companies (Google, Microsoft, Java, Mozilla, and more)
  3. Verify the version of Java you have installed on your device
    1. Click 'Start' > 'Control Panel' > 'Java'
    2. Click 'About'
  4. If Java 8 Update 141 or above, SHA1 SSL certificates are no longer trusted by Java.
To Resolve the problem:
  1. Re-sign your SSL certificate to be SHA256 and apply it to the N-able N-central server (STRONGLY RECOMMENDED)
    1. See article: How to add a SSL certificate to your N-able N-central Server
  2. Downgrade to a version of Java before Java 8 update 141.
NOTE: Java 8 Update 141 Release Notes

New Features

security-libs/java.security
Disable SHA-1 TLS Server Certificates

Any TLS server certificate chain containing a SHA-1 certificate (end-entity or intermediate CA) and anchored by a root CA certificate included by default in Oracle's JDK is now blocked by default.