I ran into similar issues whose cause and solution turned out both to be rather simple:
Main Cause: Did not import the proper cert using keytool
NOTE: Only import root CA (or your own self-signed) certificates
NOTE: don’t import an intermediate, non certificate chain root cert
Solution Example for imap.gmail.com
-
Determine the root CA cert:
openssl s_client -showcerts -connect imap.gmail.com:993
in this case we find the root CA is Equifax Secure Certificate Authority
- Download root CA cert.
- Verify downloaded cert has proper SHA-1 and/or MD5 fingerprints by comparing with info found here
-
Import cert for
javax.net.ssl.trustStore
:keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem
- Run your java code