Support Questions

Find answers, ask questions, and share your expertise

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

avatar
Explorer

[begin_log]2024-01-08 18:57:00,406+0800|ERROR|pool-47-thread-1|o.s.s.s.TaskUtils$LoggingErrorHandler|Unexpected error occurred in scheduled task
org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 Internal Server Error: "javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown"
at org.springframework.web.client.HttpServerErrorException.create(HttpServerErrorException.java:100)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:170)
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:122)
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63)
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:825)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:783)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:717)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:608)
at com.orchsym.trace.alerts.api.timer.Timer.getBulletinBoardDTO(Timer.java:162)
at com.orchsym.trace.alerts.api.timer.Timer.getBulletinBoard(Timer.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.scheduling.support.ScheduledMethodRunnable.run(ScheduledMethodRunnable.java:84)
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54)
at org.springframework.scheduling.concurrent.ReschedulingRunnable.run(ReschedulingRunnable.java:95)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

 

[root@runtime-0 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore /opt/orchsym/runtime/conf/keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: runtime-0.runtime-statefulset.default.svc.cluster.local
Creation date: Jan 8, 2024
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=runtime-0.runtime-statefulset.default.svc.cluster.local, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: 94c5135f0b3a7f0e
Valid from: Mon Jan 08 18:23:42 CST 2024 until: Thu May 25 18:23:42 CST 2051
Certificate fingerprints:
MD5:  E3:D3:83:10:FF:A2:56:CE:41:A5:8E:BF:66:B6:97:06
SHA1: 10:00:6B:63:E5:FB:C0:CE:79:B1:AD:BF:07:D7:A1:AD:C1:56:E2:2A
SHA256: C1:B1:5D:D1:EA:5A:1F:64:CB:5A:BE:31:D9:EC:4C:31:90:37:22:7B:9D:B1:CC:66:F6:B3:09:81:34:EB:1E:BD
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
 
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: runtime-0.runtime-statefulset.default.svc.cluster.local
]
 
Certificate[2]:
Owner: CN=ca, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: ea7f96497446ec07
Valid from: Wed Dec 13 14:00:40 CST 2023 until: Sat Dec 10 14:00:40 CST 2033
Certificate fingerprints:
MD5:  D1:C7:A1:6A:A3:67:65:68:55:B5:6D:0E:74:21:80:71
SHA1: 64:60:26:22:94:08:24:BD:75:B7:23:B0:62:6C:3C:FF:A8:62:AB:47
SHA256: 37:45:27:2F:B9:A2:A4:40:FC:14:7B:82:CA:D6:57:9D:9D:11:D9:44:13:2F:CC:8D:33:BB:A9:C5:C6:FA:C0:57
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
 
 
*******************************************
*******************************************
 
 
 
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/orchsym/runtime/conf/keystore.jks -destkeystore /opt/orchsym/runtime/conf/keystore.jks -deststoretype pkcs12".

 

 

 

 

 

15 REPLIES 15

avatar
Master Mentor

@JamesZhang 

I feel there are a lot of details missing here that may help you get a better response.
I see you added the "Apache NiFi" label, so assuming you are seeing this exception some how related to NiFi?

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

Above is telling you that you have some TLS exchange  issue related to some certificates somewhere.  I am assuming the verbose output you shared is for the keystore configured in your NiFi's nifi.properties file?

With and TLS exchange there is a client and a server side of that exchange and the keystore and truststores on both side of that exchange along with the type of TLS exchange (TLS or MutualTLS) matters.  

Initial questions;
1. Where are you seeing this exception? What action is being performed when the exception occurs?
2. What TLS exchange is failing as a result of it?

Thank you,
Matt

avatar
Explorer

When I was accessing the nifi and cut the login he gave me Received fatal alert: certificate_unknown

avatar
Explorer

I set up a two node nifi cluster. and https and username and password authentication is enabled.

When I was accessing the nifi and cut the login he gave me Received fatal alert: certificate_unknown

avatar
Explorer

JamesZhang_0-1704725872640.png

 

avatar
Master Mentor

@JamesZhang 

Not sure what "cut the login" means in your response.

When you access the NiFI URL, are you being redirected to the NiFi login window or do you encounter the unknown certificate exception immediately?

Where did you get the certificates you are using?
Did you add the Certificate Authority CA trust chain public certificates to the list of trusted authorities in the browser you are using to connect to NiFi?

Thanks,
Matt

avatar
Explorer

It was after I logged in that the problem occurred.

avatar
Explorer

2024-01-08 22:59:04,191 DEBUG [Replicate Request Thread-5] o.a.n.c.c.h.r.o.OkHttpReplicationClient Replicating request OkHttpPreparedRequest[method=GET, headers={sec-fetch-site=same-origin, X-Request-ID=cefa0de909293ecff62ec11a567a7bf5, purpose=prefetch, User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, Accept-Encoding=gzip, deflate, br, locale=zh, sec-ch-ua-mobile=?0, X-ProxiedEntitiesChain=<admin@orchsym.com>, Content-Encoding=gzip, X-RequestTransactionId=46b8f4dd-346d-4969-b013-0318b425a5e8, X-Real-IP=172.18.153.98, sec-fetch-mode=cors, Cookie=INGRESSCOOKIE=1704456109.379.3262.11429|138638da7f02469ffa15ce137684f175; authMode=token; oidc-request-rfid=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1MHlDcUI4MlVQMV9NS3B3aUljLVhXQmNNUWxybkJPLUM4dmdJZnUxUmFvIn0.eyJqdGkiOiI3NTI1MDJhMy04YjIyLTQzNDAtOThlMC1hYzY3YmY5MzBhNDciLCJleHAiOjE3MDQ3NjE1MDEsIm5iZiI6MCwiaWF0IjoxNzA0NzI1NTAxLCJpc3MiOiJodHRwczovLzE3Mi4xOC4xNTcuMjM1OjgyODMvYXV0aC9yZWFsbXMvYmFpc2hhbmNsb3VkIiwiYXVkIjoicnVudGltZS1rdWJlIiwic3ViIjoiMDczNzNlNDMtNmY2NC00ZDlhLTg1ZDQtZWRkNTA2NjJkNjIwIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6InJ1bnRpbWUta3ViZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjkxMDAyZDUyLTczNzEtNGJmYy04NTU2LWVkNDEzYjg0OTM1NCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSJ9.AXI1uDJV629yce--7C_hIeKUdpSjkIWaeqm4_Ove_IMz4oMroPIYCBvKiF_XZ1u46uSxhGMz0DN5zhx3UwgYjo7OcofW6HtNolAgaCcfQU2rK_rMtb1VX3DfUAe6spyg0RwU6o08-5bRtd8vfH9S7ASIMO6dA3wD_o9bXlWGI7i4V2_mm-rnvm7qmC1e10xefu7Qhcq3g6dHh0tJcY6jFDNTBGS3qG9lME4y0E6FgrxlIr9vNtEqOIVHAa2MDLtXnJJnn9SHTBERsx-2T7wWmLKr_d_p3Cj62MvJeFEPMaPlZ3DANWx32dip4R9Y55DlzivEyAxSAyMm__QEFNPiXg, Accept=*/*, X-Forwarded-Host=runtime.irybd.com, X-Forwarded-Proto=https, Referer=https://runtime.irybd.com/runtime, X-Forwarded-Port=443, sec-ch-ua="Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120", X-ProxyHost=runtime.irybd.com, sec-ch-ua-platform="macOS", X-Forwarded-For=172.18.153.98, Accept-Language=en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7, X-Forwarded-Scheme=https, X-Scheme=https, sec-purpose=prefetch;prerender, sec-fetch-dest=empty}] to https://runtime-1.runtime-statefulset.default.svc.cluster.local:443/nifi-api/flow/current-user
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to runtime-1.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator Failed to replicate request GET /nifi-api/flow/current-user to runtime-1.runtime-statefulset.default.svc.cluster.local:443 due to javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2024-01-08 22:59:04,219 WARN [Replicate Request Thread-5] o.a.n.c.c.h.r.ThreadPoolRequestReplicator
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135)
at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1779)
at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1156)
at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1266)
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1178)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:122)
at org.apache.nifi.cluster.coordination.http.replication.okhttp.OkHttpReplicationClient.replicate(OkHttpReplicationClient.java:116)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator.replicateRequest(ThreadPoolRequestReplicator.java:629)
at org.apache.nifi.cluster.coordination.http.replication.ThreadPoolRequestReplicator$NodeHttpRequest.run(ThreadPoolRequestReplicator.java:821)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

avatar
Master Mentor

@JamesZhang 

What is the verbose output for your configured truststore?

Does it contain the TrustedCertEntry for your Certificate Authority (CA) that signed the PrivateKey in your keystore?

The keystore you shared has:

DNSName: runtime-0.runtime-statefulset.default.svc.cluster.local

The log output you shared is failing on the mutualTLS handshake with another node in your NiFi cluster when the request to get current user is replicated to all nodes in your NiFi cluster.

runtime-1.runtime-statefulset.default.svc.cluster.local

All inter node communication require successful mutualTLS exchanges.
Did you create a separate certificate for the other node?  Is it signed by same CA?

If you found any of the suggestions/solutions provided helped you with your issue, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

avatar
Explorer

Yes, all other nodes are issued with the same CA certificate.

Here are the details of my certificate:

runtime-0 node:

[root@runtime-0 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: runtime-0.runtime-statefulseheadless.default.svc.cluster.local
Creation date: Jan 9, 2024
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=runtime-0.runtime-statefulseheadless.default.svc.cluster.local, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: 95a5fed51b7682f7
Valid from: Tue Jan 09 11:28:46 CST 2024 until: Fri May 26 11:28:46 CST 2051
Certificate fingerprints:
MD5:  F5:47:4A:ED:84:39:A6:CE:2E:3F:66:E2:9F:13:85:CF
SHA1: C4:B8:DB:86:AB:7C:7F:60:16:7B:02:64:67:E0:82:67:65:F9:C9:55
SHA256: 54:55:A1:C6:BE:5F:F4:2A:8B:AB:05:F1:23:A6:AF:62:3F:4C:1F:97:F7:86:CD:7F:44:27:82:AA:28:78:D6:B5
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
 
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: runtime-0.runtime-statefulseheadless.default.svc.cluster.local
]
 
Certificate[2]:
Owner: CN=ca, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: d7621b97728d0ce0
Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034
Certificate fingerprints:
MD5:  66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09
SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75
SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
 
 
*******************************************
*******************************************
 
[root@runtime-0 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore truststore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: ca
Creation date: Jan 9, 2024
Entry type: trustedCertEntry
 
Owner: CN=ca, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: d7621b97728d0ce0
Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034
Certificate fingerprints:
MD5:  66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09
SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75
SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
 
 
*******************************************
*******************************************
 
 
runtime-1 node:
 
[root@runtime-1 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: runtime-1.runtime-statefulseheadless.default.svc.cluster.local
Creation date: Jan 9, 2024
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=runtime-1.runtime-statefulseheadless.default.svc.cluster.local, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: daf0d7df943156cf
Valid from: Tue Jan 09 11:28:51 CST 2024 until: Fri May 26 11:28:51 CST 2051
Certificate fingerprints:
MD5:  75:3E:10:50:EB:4E:47:CE:8C:0C:F2:D5:AE:9D:99:44
SHA1: 7D:A4:B0:07:CA:F1:D2:39:42:EE:91:A7:68:02:92:E1:5D:75:CF:D6
SHA256: 05:7E:8A:AC:0C:9B:EE:AE:F9:41:44:AF:69:66:50:8D:32:83:77:48:CC:2F:9D:91:35:33:B4:2D:2A:47:61:E2
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]
 
#2: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: runtime-1.runtime-statefulseheadless.default.svc.cluster.local
]
 
Certificate[2]:
Owner: CN=ca, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: d7621b97728d0ce0
Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034
Certificate fingerprints:
MD5:  66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09
SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75
SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
 
 
*******************************************
*******************************************
[root@runtime-1 /opt/orchsym/runtime-ee/conf]# keytool -v -list -keystore truststore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 1 entry
 
Alias name: ca
Creation date: Jan 9, 2024
Entry type: trustedCertEntry
 
Owner: CN=ca, OU=orchsym.com
Issuer: CN=ca, OU=orchsym.com
Serial number: d7621b97728d0ce0
Valid from: Mon Jan 08 23:50:34 CST 2024 until: Thu Jan 05 23:50:34 CST 2034
Certificate fingerprints:
MD5:  66:8E:AA:A6:9B:66:E8:48:43:F0:AB:EF:7C:4A:28:09
SHA1: DD:EB:20:4E:D1:39:86:87:65:21:6D:BF:8A:FE:35:CB:EB:80:6D:75
SHA256: AE:F6:10:DE:50:D2:B2:08:A9:7E:BC:1F:21:89:B7:D4:AD:DB:02:C5:E3:C3:B4:38:FF:28:61:07:A9:EB:B9:4D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
 
Extensions:
 
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]
 
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 65 39 FC E5 58 02 CC 39   56 0E 9B F4 A4 EE BB AC  e9..X..9V.......
0010: B9 FC E9 B3                                        ....
]
]
 
 
 
*******************************************
*******************************************