How to add the client trust store to the Camunda External Task Client

Hello Camunda Team,
I’m facing issue while establishing the connection from Camunda External Task Client (Client Application) to the Camunda Engine (Which is running as Server and secured as well). While fetching the external tasks from the Camunda Engine (we already configured the topic, … in external task client properties file) getting below error.

We have all required certificates at client end to communicate with server.
We observed that it’s not picking the certificates from the client within the application. While sending the request how to send the trust store details from client to server to do that handshake.

Below the snippet of code, how client is communicating with the server.

    public void getExtClient() {
        ExternalTaskClient client = ExternalTaskClient.create().baseUrl(baseUrl)
            .addInterceptor(new NotificationClientRequestInterceptor()).asyncResponseTimeout(asyncTimeOut)
        client.subscribe(topicName).lockDuration(100000L).handler((externalTask, externalTaskService) -> {
            sendEmail(configuration, externalTask, externalTaskService);
public class NotificationClientRequestInterceptor implements ClientRequestInterceptor {
        public void intercept(ClientRequestContext requestContext) {
            requestContext.addHeader("X-AuthToken", tokenAccessor.getAccessToken());

Below is the configuration we are using.



Below is the error I’m getting.
2022-12-02 02:28:58.869 org.camunda.bpm.client [TopicSubscriptionManager] ERROR [process-notification-worker,] - TASK/CLIENT-03001 Exception while fetch and lock task.
org.camunda.bpm.client.impl.EngineClientException: TASK/CLIENT-02002 Exception while establishing connection for request 'POST https://hostname/process/workbench/engine-rest/external-task/fetchAndLock HTTP/1.1
at org.camunda.bpm.client.impl.EngineClientLogger.exceptionWhileEstablishingConnection(

Caused by: PKIX path building failed: unable to find valid certification path to requested target

Caused by: PKIX path building failed: unable to find valid certification path to requested target
at java.base/

Alternatively, if we import certificates at local (java11\java-11-openjdk-\lib\security\cacerts) jdk level in cacerts then we are able to communicate with the camunda engine.

But we don’t want this solution because the external task client is going to be deployed as a pod, there we can’t add the certificates to the cacerts in container.

In our project other services are establishing the connection with camunda engine (Server) which is running in OCP, by using the truststore and keystore provided with in the application.

Could you please help me on this, we are blocked because of this.

@Ingo_Richtsmeier @Niall Niall Deehan
Could you please help me on this.

Hi @Ramanaiah,

It seems to me that you already found a solution.

If you want a better one, you should ask the Java or Kubernetes support for help. My expertise in these areas is limited.

Hope this helps, Ingo