Websphere SSL - invalid certificate, key identifier is missing from authority key identifier extension

when you tried to access to secured WebService from your Websphere application , and get such error ":org.apache.axis2.AxisFault: 
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.g:PKIX path building failed: java.security.cert.CertPathBuilderException: invalid certificate, key identifier is missing from authority key identifier extension"

you probably need to install the certificate in your web sphere

To establish trusted server-to-server communication for IBM Connections, import signer certificates from IBM HTTP Server into the WebSphere Application Server default trust store.

There are different types of certificates that you can use. This procedure describes how to import a self-signed certificate. You can also import a certificate that you purchased from a third-party Certificate Authority. To help decide a key file strategy for your environment, go the IBM HTTP Server knowledge center.

To import a public certificate from IBM HTTP Server to the default trust store in IBM WebSphere Application Server, complete the following steps:

Procedure

1. Log into the IBM WebSphere Application Server Integrated Solutions Console and select Security > SSL Certificate and key management > Key stores and certificates.
2. Click CellDefaultTrustStore.
3. Click Signer Certificates.
4. Click Retrieve from port.
5. Enter the Host name, SSL Port, and Alias of the web server. The Alias is typically an arbitrary string that will become the name of the credentials.
6. Click Retrieve Signer Information and then click OK. The root certificate is added to the list of signer certificates.
7. If using Tivoli® Access Manager or other proxies, also repeat steps 4-6 for your Tivoli Access Manager or other proxy servers.
8. restart server.

the above is from Adding certificates to the WebSphere trust store

there is another way :

Procedure

export the certificate :

navigate to the url via browser , in the browser click on the certificate , and export it in DER format or base64 format.

save it in accessible path.

1. Log into the IBM WebSphere Application Server Integrated Solutions Console and select Security > SSL Certificate and key management > Key stores and certificates.
2. Click NodeDefaultTrustStore.
3. Click Signer Certificates.
4. Click Add.
5. Enter the Alias of the web server. The Alias is typically an arbitrary string that will become the name of the credentials, and the exported certificate location- described above, choose the right dataType  (DER format or Base64).
6. Then click OK. The root certificate is added to the list of signer certificates.
7. restart server.