When I make the API call using the curl command, I am seeing the following error:
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
Can you please suggest what can I do to resolve this issue ?
Hi,
You can check this post with similar discussion.
Investigating this issue, I found that this error was thrown because the certificates in the chain were not uploaded in the proper order to the Keystore.
As explained in the link,
If you have a certificate chain, and want to use that chain in a keystore or truststore, then you can combine all of the certs into a single PEM file. The certs have to be in order and the last cert must be a root certificate or an intermediate cert signed by a root certificate as shown below:
Your Primary SSL Certificate
Intermediate Certificate
Root Certificate or Intermediate Certificate signed by a root certificate
In addition, we should also ensure the below:
Note: There can be multiple intermediate certificates in the certificate chain.
In this case, the Keystore had incorrect order of certificates as shown below:
Your Primary SSL Certificate
Intermediate Certificate 1
Root Certificate
Intermediate Certificate 2
This basically resulted in a mismatch. That is, the Issuer of Intermediate Certificate 1 did not match with the Subject of the Root Certificate, so we got the error “Peer’s Certificate issuer is not recognized.”
Re-uploading the certificate chain in the proper order (shown below) to the Keystore fixed the issue.
Your Primary SSL Certificate
Intermediate Certificate 1
Intermediate Certificate 2
Root Certificate
Hi Amar,
Normally, for 2way ssl, I first test the connectivity using the CURL call,
curl “” --cert ./ --key --cacert -v
Also, to check if the certs are added at the target end, you can execute the below command
openssl s_client -showcerts -connect abcde.com:
I hope this information helps