You may think that REST APIs are super easy to use with tRESTClient in Talend and nothing really can surprise you here. Until you try to get data from token based authenticated API.

In such case you don’t use built-in authentication feature in tRESTClient but you rely on auth tokens delivered by the API provider. So the tRESTClient component will look somehow like this

tRESTClient with external certificate

The Problem

Everything seems to be fine at this point but suddenly when you run the script you got bunch of strange errors including:

Could not send message. PKIX path building failed

tRESTClient with external certificate

As this can be read in between the lines of this horrifying error above, the real problem is with the security certificate API provider is using.

The Solution

There are at least 2 easy ways to solve this problem. First requires tSetKeystore component to be used together with tRESTClient but in my opinion more robust and elegant solution should be used.

True nature of the issue is that Java cannot find certificate used in the HTTPS communication in the local trusted keystore. So the most natural way is to add missing certificate (of course as long as we trust the provider).

1. find Java Install path

In order to add certificate we need to find path where JDE/JRE is installed. In Windows is pretty straightforward.  You go to Start>Control Panel> type Java > Java Configuration and after you click View button in Java tab you will see all versions installed with paths:

tRESTClient with external certificate

As I am using java 1.8 in my Talend projects, I will focus on it’s path. So i go to top directory for this version and then to lib\security folder which is in my case

C:\Program Files (x86)\Java\jre1.8.0_91\lib\securty


tRESTClient with external certificate

Note that there’s a cacerts file. This is the binary file holding all certificates for Java. Super important note: cacert file is also present in various others folders within whole Java directory. However if you would like to get streamlined experience without need for adjustments, let’s focus on the one in lib\security.

2. Download Certificate

Now when we have located our target path, let’s go and download the certificate. You simply go to API URL (same you are using in tRestClient) and click Certificate icon in your browser.

tRESTClient with external certificate

Click on the Certificate button and then on Details tab you will have option to Copy to file. Use Default DER format. This should result in .cer file saved somewhere on your drive. Make sure to copy this file to some simple high level location for ease of use in the next step

3. Add Certificate to keystore

To add certificate you need to access command line (cmd.exe) and run the following command (make sure to run cmd.exe as Administrator)

cd java_path\bin
keytool -keystore ..\lib\security\cacerts -import -alias your_api_name -file path_to_downloaded_cert\cert_name.cer


so in my case it will be:

cd C:\Program Files (x86)\Java\jre1.8.0_91\lib\
keytool -keystore ..\lib\security\cacerts -import -alias test_api -file C:\Users\darth0s\Downloads\certu.cer


Note the double ..\ as cacert file is in the different location than keystore application.

After hitting enter, you might be asked for password. If just pressing enter doesn’t work, then default Java keystore password is changeit. Yes, it’s the phrase changeit. Don’t ask..

If certificate file was found in the files system, you will be asked to trust this certificate and you obviously need to type yes and hit Enter

tRESTClient with external certificate

Now when you run

keytool -v -list -keystore ..\lib\security\cacerts -alias test_api

you should get positive response from the keytool showing that it was added.  Right now, you should go ahead restart Talend and tRESTClient should function properly.