Products documentation

User Tools

Site Tools

You are here: Welcome to Redpeaks Wiki » products » Supported versions » Redpeaks V7.0 » Trouble shooting » Certificates

Sidebar

Redpeaks V7.0


Release note

Install Guide

  1. Prerequisites
  2. Install JAVA
  3. Install Redpeaks on Linux
  4. Install licenses
  5. Install drivers
  6. Create users
  7. Memory tuning

User Guide

Trouble shooting

Monitors Guide

products:promonitor:latest:troubleshooting:certificates
Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book (0 page(s))
 Help

Table of Contents

Certificates

Generating a certificate manually

SAN (Subject Alternative Name) issues

Browsers will reject certificates if the hostname used does not appear in the SAN list

Symptoms:

  • Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
  • Firefox: MOZILLA_PKIX_ERROR

Check SAN:

  • In browser: Certificate → Details → Subject Alternative Name.
  • From console:
openssl x509 -in server.crt -text -noout | grep -A1 ''Subject Alternative Name''

Fixing SAN problems

  • Regenerate certificate with correct SAN values
    • Add this to your generate certificat -ext SAN=DNS:hostname,IP:serverIP

CA and chain issues

Even with a certificate signed by a valid CA, the application may serve only the server certificate, without the intermediate CA

Browsers then reject the connection because the chain is incomplete

Symptoms:

  • Chrome: ERR_CERT_AUTHORITY_INVALID
  • Firefox: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
  • openssl s_client -showcerts shows only ONE certificate
  • keytool -list -v shows: Certificate chain length: 1

Cause:

  • Java keystore contains:
    1. PrivateKeyEntry: server certificate only
    2. trustedCertEntry: CA and intermediates
  • Redpeaks does NOT assemble the chain automatically
  • The chain MUST be stored inside the PrivateKeyEntry

Detecting the problem

Check what Redpeaks is sending: 

openssl s_client -connect hostname:8443 -showcerts

Check keystore: 

keytool -list -v -keystore .keystore -alias <alias>

If chain length = 1, this mean the chain is incomplete

Fixing chain problems

Convert CER to PEM if necessary: 

openssl x509 -inform DER -in file.cer -out file.crt

Build chain: 

cat intermediate.crt root.crt > chain.pem

Build PKCS12 containing key + certificate + full chain: 

openssl pkcs12 -export -inkey server.key -in server.crt -certfile chain.pem -name pro_monitor -out fullcert.p12

Import into Redpeaks keystore: 

keytool -importkeystore -srckeystore fullcert.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
      -destkeystore [REDPEAKS_HOME]/certificates/.keystore -deststoretype JKS -deststorepass agentilKeyStore

Verify: 

keytool -list -v -keystore [REDPEAKS_HOME]/certificates/.keystore -alias tomcat

→ Now Certificate chain length should be 2 or 3

CA trust on client side

Even with a complete chain, clients must trust the CA root

  • On Windows (Chrome / Edge):
    • Ensure your CA root is installed under: Trusted Root Certification Authorities
  • On Firefox:
    • Open Settings → Privacy & Security → Certificates → View Certificates → Authorities
    • Import the CA root and mark it as trusted to identify websites

If the CA root is missing on the client, browsers will still show ERR_CERT_AUTHORITY_INVALID or equivalent, even if the server is correctly configured

/home/clients/8c48b436badcd3a0bdaaba8c59a54bf1/wiki-web/data/pages/products/promonitor/latest/troubleshooting/certificates.txt · Last modified: 2025/11/26 12:20 by jtbeduchaud

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki