Knowledge Base > Article [0031]

Clickatell SSL API

You may receive the following error when you try to send SMS using the Clickatell SSL API.

"PKIX path validation failed: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path."

It actually means that the top(or intermediate) CA of the Clickatell SSL certificate is not trusted by your DualShield or DUAP server.

You can work it around in one of the following ways.

1. Change to HTTP

Find in the file clickatell.xml, change it to

In DualShield(V5x), this file is located in C:\Program Files\Deepnet DualShield\smsproviders

In DUAP (V3x), it is located in C:\Program Files\Deepnet Authentication Server\Tomcat\conf\dgs

2. Import the related CA certificate to Deepnet JAVA CA store.

In Browser, type the url "", view the certificate.

Then, select the intermediate one "thawte Primary Root CA", View this certificate and go to the tab "Details"


Then Copy it to File, choose BASE64 format

Assume the saved certificate file is called tprca.cer, in Windows Prompt, execute the following command

On DualShield

"C:\Program Files\Deepnet DualShield\jre\bin\keytool" -import -trustcacerts -alias "thawte pr" -file tprca.cer -keystore "C:\Program Files\Deepnet       DualShield\jre\lib\security\cacerts"


"C:\Program Files\Deepnet Authentication Server\jre\bin\keytool" -import -trustcacerts -alias "thawte pr" -file tprca.cer -keystore " C:\Program Files\Deepnet Authentication Server\jre\lib\security\cacerts"

type "changeit" if you are asked for password. You should see the response " Certificate was added to keystore" if you do it correctly.

You may need to restart your DualShield or DUAP service for it to take effect.