User Tools

Site Tools


products:promonitor:latest:troubleshooting:certificates

Certificates

Generating a certificate manually

Untrusted certificate issue

  • When a remote server uses a self signed certificate, the connection will fail because the certificate is not trusted by the application.

Symptoms: Error messages such as:

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
  • To resolve this problem, you must import the certificate in the Redpeaks truststore following this Procedure

SAN (Subject Alternative Name) issues

Browsers will reject certificates if the hostname used does not appear in the SAN list

Symptoms:

  • Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
  • Firefox: MOZILLA_PKIX_ERROR

Check SAN:

  • In browser: Certificate → Details → Subject Alternative Name.
  • From console:
openssl x509 -in server.crt -text -noout | grep -A1 ''Subject Alternative Name''

Fixing SAN problems

  • Regenerate certificate with correct SAN values
    • Add this to your generate certificat -ext SAN=DNS:hostname,IP:serverIP

CA and chain issues

Even with a certificate signed by a valid CA, the application may serve only the server certificate, without the intermediate CA

Browsers then reject the connection because the chain is incomplete

Symptoms:

  • Chrome: ERR_CERT_AUTHORITY_INVALID
  • Firefox: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
  • openssl s_client -showcerts shows only ONE certificate
  • keytool -list -v shows: Certificate chain length: 1

Cause:

  • Java keystore contains:
    1. PrivateKeyEntry: server certificate only
    2. trustedCertEntry: CA and intermediates
  • Redpeaks does NOT assemble the chain automatically
  • The chain MUST be stored inside the PrivateKeyEntry

Detecting the problem

Check what Redpeaks is sending:

openssl s_client -connect hostname:8443 -showcerts

Check keystore:

keytool -list -v -keystore .keystore -alias <alias>

If chain length = 1, this mean the chain is incomplete

Fixing chain problems

Convert CER to PEM if necessary:

openssl x509 -inform DER -in file.cer -out file.crt

Build chain:

cat intermediate.crt root.crt > chain.pem

Build PKCS12 containing key + certificate + full chain:

openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12

Import into Redpeaks keystore:

keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
      -destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore

Verify:

keytool -list -v -keystore [REDPEAKS_HOME]/certificates/.keystore -alias tomcat

→ Now Certificate chain length should be 2 or 3

CA trust on client side

Even with a complete chain, clients must trust the CA root

  • On Windows (Chrome / Edge):
    • Ensure your CA root is installed under: Trusted Root Certification Authorities
  • On Firefox:
    • Open Settings → Privacy & Security → Certificates → View Certificates → Authorities
    • Import the CA root and mark it as trusted to identify websites

If the CA root is missing on the client, browsers will still show ERR_CERT_AUTHORITY_INVALID or equivalent, even if the server is correctly configured

products/promonitor/latest/troubleshooting/certificates.txt · Last modified: by rbariou