Table of Contents
Certificates
Generating a certificate manually
Untrusted certificate issue
- When a remote server uses a self signed certificate, the connection will fail because the certificate is not trusted by the application.
Symptoms: Error messages such as:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- To resolve this problem, you must import the certificate in the Redpeaks truststore following this Procedure
SAN (Subject Alternative Name) issues
Browsers will reject certificates if the hostname used does not appear in the SAN list
Symptoms:
- Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
- Firefox: MOZILLA_PKIX_ERROR
Check SAN:
- In browser: Certificate → Details →
Subject Alternative Name. - From console:
openssl x509 -in server.crt -text -noout | grep -A1 ''Subject Alternative Name''
Fixing SAN problems
- Regenerate certificate with correct SAN values
- Add this to your generate certificat
-ext SAN=DNS:hostname,IP:serverIP
CA and chain issues
Even with a certificate signed by a valid CA, the application may serve only the server certificate, without the intermediate CA
Browsers then reject the connection because the chain is incomplete
Symptoms:
- Chrome: ERR_CERT_AUTHORITY_INVALID
- Firefox: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
- openssl s_client -showcerts shows only ONE certificate
- keytool -list -v shows:
Certificate chain length: 1
Cause:
- Java keystore contains:
- PrivateKeyEntry: server certificate only
- trustedCertEntry: CA and intermediates
- Redpeaks does NOT assemble the chain automatically
- The chain MUST be stored inside the PrivateKeyEntry
Detecting the problem
Check what Redpeaks is sending:
openssl s_client -connect hostname:8443 -showcerts
Check keystore:
keytool -list -v -keystore .keystore -alias <alias>
If chain length = 1, this mean the chain is incomplete
Fixing chain problems
Convert CER to PEM if necessary:
openssl x509 -inform DER -in file.cer -out file.crt
Build chain:
cat intermediate.crt root.crt > chain.pem
Build PKCS12 containing key + certificate + full chain:
openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12
Import into Redpeaks keystore:
keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
-destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore
Verify:
keytool -list -v -keystore [REDPEAKS_HOME]/certificates/.keystore -alias tomcat
→ Now Certificate chain length should be 2 or 3
CA trust on client side
Even with a complete chain, clients must trust the CA root
- On Windows (Chrome / Edge):
- Ensure your CA root is installed under:
Trusted Root Certification Authorities
- On Firefox:
- Open Settings → Privacy & Security → Certificates → View Certificates →
Authorities - Import the CA root and mark it as trusted to identify websites
If the CA root is missing on the client, browsers will still show ERR_CERT_AUTHORITY_INVALID or equivalent, even if the server is correctly configured
