Certificates
- - SAN (Subject Alternative Name)
    - Fixing SAN problems
  - CA and chain issues

Certificates

SAN (Subject Alternative Name)

Browsers will reject certificates if the hostname used does not appear in the SAN list

Symptoms:

Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
Firefox: MOZILLA_PKIX_ERROR

Check SAN:

In browser: Certificate → Details → Subject Alternative Name.
From console:

openssl x509 -in server.crt -text -noout | grep -A1 ''Subject Alternative Name''

Fixing SAN problems

Regenerate certificate with correct SAN values
- Add this to your generate certificat -ext SAN=DNS:hostname,IP:serverIP

CA and chain issues

Even with a certificate signed by a valid CA, the application may serve only the server certificate, without the intermediate CA

Browsers then reject the connection because the chain is incomplete

Symptoms:

Chrome: ERR_CERT_AUTHORITY_INVALID
Firefox: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
openssl s_client -showcerts shows only ONE certificate
keytool -list -v shows: Certificate chain length: 1

Cause:

Java keystore contains:
1. PrivateKeyEntry: server certificate only
2. trustedCertEntry: CA and intermediates
Redpeaks does NOT assemble the chain automatically
The chain MUST be stored inside the PrivateKeyEntry

Detecting the problem

Check what Redpeaks is sending:

openssl s_client -connect hostname:8443 -showcerts

Check keystore:

keytool -list -v -keystore .keystore -alias <alias>

If chain length = 1, this mean the chain is incomplete

Fixing chain problems

Convert CER to PEM if necessary:

openssl x509 -inform DER -in file.cer -out file.crt

Build chain:

cat intermediate.crt root.crt > chain.pem

Build PKCS12 containing key + certificate + full chain:

openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12

Import into Redpeaks keystore:

keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
      -destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore

Verify:

keytool -list -v -keystore [REDPEAKS_HOME]/certificates/.keystore -alias tomcat

→ Now Certificate chain length should be 2 or 3

CA trust on client side

Even with a complete chain, clients must trust the CA root

On Windows (Chrome / Edge):
- Ensure your CA root is installed under: Trusted Root Certification Authorities

On Firefox:
- Open Settings → Privacy & Security → Certificates → View Certificates → Authorities
- Import the CA root and mark it as trusted to identify websites

If the CA root is missing on the client, browsers will still show ERR_CERT_AUTHORITY_INVALID or equivalent, even if the server is correctly configured

Table of Contents