host:~ zcai$ /usr/libexec/java_home -v 1.8
/Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home
keytool -list -keystore jre/lib/security/cacerts > ~/java_cacerts.txt
Enter keystore password: changeit
Take a look at java_cacerts.txt. See if it includes the same certificate that is present in the browser by searching for a matching serial number. In the java_cacerts.txt file, the serial number will be in lowercase and without the ":" colon character. If it is not present, then this could be the reason for the error, and we can fix this by adding the certificate found in the browser.
Show certificate and save it to ~/Downloads/ldaps_ca.txt
openssl s_client -showcerts -connect shdc2.seres.local:636
vi ~/Downloads/ldaps_ca.txt
keytool -import -alias ldaps_ca -keystore ./jre/lib/security/cacerts -file
You will be prompted for a password, use ‘changeit’
~/Downloads/ldaps_ca.txt
reference:
http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html