PKIX path construction failed for untrusted credential

[erlendfg]

I get the following error in my logs after I am returned back to the web application after SSO:

Code:

ERROR 24.01.2013 14:38:10:219 (CertPathPKIXTrustEvaluator.java:validate:81) - PKIX path construction failed for untrusted credential: [subjectName='CN=*.difi.no,O=DIREKTORATET FOR FORVALTNING OG IKT,L=Oslo,ST=Oslo,C=NO' |credential entityID='idporten-ver2.difi.no']: unable to find valid certification path to requested target

To me, it seems that this belongs to the IdP's server certificate and not the public key of the metadata/IdP certificate which I have added to my keystore. I have received the server's SSL certificate and tried to add that to my keystore as well, but the error message is still there.

Everything works, but I want to get rid of this error message which fills up my log.

Do I have to change some settings in ExtendedMetadata?

Additional information:

• My (SP) metadata is hand written and I have skipped <ds:Signature... </ds:Signature>. My public key for signing and encryption is included, of course.
• SP's public and private keys are generated by using openssl with AES algorithm.
• I'm using the IdP's test server, that's why I have generated the SP key pair by myself.

Regarding ExtendedMetadata, should I place an ExtendedMetadataDelegate block around my SP metadata settings and change some settings regarding securityProfile properties since I have skipped signature of my SP metadata?

My settings so far:

Code:

    <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
    <!-- Do no forget to call iniitalize method on providers -->
    <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
        <constructor-arg>
            <list>
            	<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
                    <constructor-arg>
						<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    		<constructor-arg>
                        		<value type="java.io.File">${nettskjema.saml.minid_xml_path}</value>
                    		</constructor-arg>
                    		<property name="parserPool" ref="parserPool"/>
                		</bean>
                    </constructor-arg>
                    <constructor-arg>
                        <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"/>
                    </constructor-arg>
                </bean>
                <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    <constructor-arg>
                        <value type="java.io.File">${nettskjema.saml.metadata_provider_path}</value>
                    </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </list>
        </constructor-arg>
        <property name="hostedSPName" value="${nettskjema.saml.hostedSPName}"/>
        <!-- OPTIONAL property: can tell the system which IDP should be used for authenticating user by default. -->
        <property name="defaultIDP" value="${nettskjema.saml.defaultIDP}"/>
    </bean>

Regarding the last placeholder, here's the correct value from my property file:
nettskjema.saml.defaultIDP=idporten-ver2.difi.no (this entityID shows up in the error message).