====== Certificates ======

==== Generating a certificate manually ====
  * [[..:userguide:administration:adminconfig:createcertificat|Follow the procedure here]]

==== SAN (Subject Alternative Name) issues ====

Browsers will reject certificates if the hostname used does not appear in the SAN list

Symptoms:
  * Chrome: **NET::ERR_CERT_COMMON_NAME_INVALID**
  * Firefox: **MOZILLA_PKIX_ERROR**

Check SAN:
  * In browser: Certificate → Details → ''Subject Alternative Name''.
  * From console:
<code>openssl x509 -in server.crt -text -noout | grep -A1 ''Subject Alternative Name''</code>

=== Fixing SAN problems ===
  * **Regenerate certificate** with correct **SAN** values 
     * Add this to your generate certificat ''-ext SAN=DNS:hostname,IP:serverIP''

----
==== CA and chain issues ====

Even with a certificate signed by a valid CA, the application may serve only the server certificate, without the intermediate CA

Browsers then reject the connection because the chain is incomplete

Symptoms:
  * Chrome: **ERR_CERT_AUTHORITY_INVALID**
  * Firefox: **MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT**
  * openssl s_client -showcerts shows only **ONE certificate**
  * keytool -list -v shows: ''Certificate chain length: 1''

Cause:
  * Java keystore contains:
        - PrivateKeyEntry: server certificate only
        - trustedCertEntry: CA and intermediates
  * Redpeaks does NOT assemble the chain automatically
  * The chain MUST be stored inside the PrivateKeyEntry

=== Detecting the problem ===

Check what Redpeaks is sending:
<code>openssl s_client -connect hostname:8443 -showcerts</code>

Check keystore:
<code>keytool -list -v -keystore .keystore -alias <alias></code>

If chain length = 1, this mean the chain is incomplete

=== Fixing chain problems ===

Convert CER to PEM if necessary:
<code>openssl x509 -inform DER -in file.cer -out file.crt</code>

Build chain:
<code>cat intermediate.crt root.crt > chain.pem</code>

Build PKCS12 containing key + certificate + full chain:
<code>openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12</code>

Import into Redpeaks keystore:
<code>keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
      -destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore</code>

Verify:
<code>keytool -list -v -keystore [REDPEAKS_HOME]/certificates/.keystore -alias tomcat</code>

-> Now Certificate chain length should be 2 or 3

=== CA trust on client side ===

Even with a complete chain, clients must trust the CA root

  * On Windows (Chrome / Edge):
    * Ensure your CA root is installed under: ''Trusted Root Certification Authorities''

  * On Firefox:
    * Open Settings -> Privacy & Security -> Certificates -> View Certificates -> ''Authorities''
    * Import the CA root and mark it as trusted to identify websites

If the CA root is missing on the client, browsers will still show ERR_CERT_AUTHORITY_INVALID or equivalent, even if the server is correctly configured