Spok Mobile Registration SSL Errors SmartSuite
Overview
In some cases, the SSL Certificate that is in use by the Spok Mobile server may be self signed or might have intermediate or root certificates are are new and do not exist in the Smart Suite Certificate store. When this happens amcreg and amcHostReg will fail to establish an SSL connection the Spok Mobile Server. The below errors may be seen:
2025-06-24 16:09:15 ERROR The AMC Registration Servers are not accessible org.apache.axis.AxisFault: ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Error calling WebService : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Solution: Smart Suite 7.x
To resolve this issue, you need to get the certificate chain from the Spok Mobile certificate. Basically, you need the issuing certificates of the Spok Mobile certificate, which may be more than one. In our example, the Spok Mobile certificate had an intermediate and a root certificate. Both of these certificates were uploaded to the Smart Suite system encoded as PEM. Below is the general command that can be used to import the certificates:
The location of the keystore file called cacerts may differ depending on the the version of Smart Suite and the version of java installed. If you run locate on cacerts, you are looking for the cacerts file under /usr/lib/jvm. The might also be able to find the file using the following command: ls -l /usr/lib/jvm/*/jre/lib/security/cacerts
sudo /u01/app/oracle/middleware/oracle_common/jdk/bin/keytool -import -trustcacerts -alias [certificate alias] -file [certificate file] -keystore /usr/lib/jvm/jdk-1.8-oracle-x64/jre/lib/security/cacerts -storepass changeit
In our specific examples, we then ran the below two commands to import those certificates into the keystore:
The certificate alias does have to be uniqe so it does not match any other certificate in the store, but it does not have to be set to a very specific value. We opted for setting the value to the common name of the cert, replacing any spaces or special characters.
sudo /u01/app/oracle/middleware/oracle_common/jdk/bin/keytool -import -trustcacerts -alias sectigo_public_server_authentication_root_r46 -file /u06/tjs/ca_certs/sec_root.crt -keystore /usr/lib/jvm/jdk-1.8-oracle-x64/jre/lib/security/cacerts -storepass changeit sudo /u01/app/oracle/middleware/oracle_common/jdk/bin/keytool -import -trustcacerts -alias sectigo_public_server_authentication_ca_dv_r36 -file /u06/tjs/ca_certs/sec_interm.crt -keystore /usr/lib/jvm/jdk-1.8-oracle-x64/jre/lib/security/cacerts -storepass changeit
With the certificates added amcHostReg should see these changes immediate, but amcreg will require a WebLogic restart. Both amcreg.log and amcHostReg.dbg can be used to monitor for errors.
Solution: Smart Suite 5.x
You can resolve this issue by manually importing the new root or intermediate CA with the following command.
/u01/app/oracle/product/11.2.0/client_1/jdk/bin/keytool -import -trustcacerts -alias [alias for cert] -file[/path/to/certificate.cer] -keystore /u01/app/oracle/jrockit-jdk/jre/lib/security/cacerts -storepass [cert store password]
Smart Suite Oracle Patching
It should be noted that if a server has not had java updated in quite some time, the keystore is likely out of date. So if a new set of public intermediate and root certificates come out, they would not exist in the keystore on the server, thus causing this issue. So, keeping Smart Suite up to date on releases and patches could prevent this issue from happening.