Fixing Java PKIX Certificate Errors in VS Code

Today, while working on my Spring Boot project in VS Code, I hit a snag. The Java extension couldn’t fetch project info from Spring Initializr (api.spring.io) and threw this error:

Failed to fetch Generation from Spring IO: I/O error on GET request for “https://api.spring.io/projects": PKIX path building failed: >sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I learned this happens because the VS Code Java extension (redhat.java) uses its own embedded JRE, separate from the system’s Java. This embedded JRE has its own certificate truststore (cacerts file), located deep within the extension’s folder (e.g., ~/.vscode/extensions/redhat.java-xxx/jre/**/lib/security/cacerts).

If this specific cacerts file doesn’t trust the certificate from api.spring.io (common behind corporate proxies or with custom CAs), you get the PKIX error.

There are two ways to solve this:

Fix 1

Temporary Fix: Manually add the required certificate(s) to the embedded JRE’s cacerts file using keytool.

Problem: You need to redo this every time the Java extension updates, as the embedded JRE gets replaced.

Fix 2

Persistent Fix (Recommended): Tell the Java extension’s Language Server (JDT LS) to use a different, trusted cacerts file (like your system JRE’s or a custom one).

How: Edit your VS Code settings.json (Ctrl/Cmd+Shift+P -> “Preferences: Open User Settings (JSON)”) and, add/modify the java.jdt.ls.vmargs setting:

"java.jdt.ls.vmargs": "-Djavax.net.ssl.trustStore=/path/to/your/trusted/cacerts -Djavax.net.ssl.trustStorePassword=changeit"

(Replace /path/to/your/trusted/cacerts with the actual path to a valid truststore, and changeit with its password if it’s not the default).

Key Takeaway: The VS Code Java extension’s isolation (using its own JRE) can cause certificate issues. Pointing it to a reliable truststore via java.jdt.ls.vmargs is usually the best long-term solution.