SAP Knowledge Base Article - Preview

3065053 - Peer certificate rejected by ChainVerifier - Unhandled CRITICAL extension: OBJECT ID = CertificatePolicies


  • An SSL/TLS connection to an external server from the AS Java fails with "Peer certificate rejected by ChainVerifier".
  • An SSL trace with IAIK debug records (see SAP KBA 2673775) shows the following messages:

    ssl_debug(7): Starting handshake (iSaSiLk 5.106)...
    ssl_debug(7): Sending v3 client_hello message to <hostname>:<port>, requesting version 3.3...
    ssl_debug(7): Sending extensions: renegotiation_info (...), signature_algorithms (..)
    ssl_debug(7): Received v3 server_hello handshake message.
    ssl_debug(7): Received certificate handshake message with server certificate.
    ChainVerifier: Found a trusted certificate, returning true
    Extensions: 10
    Unhandled CRITICAL extension: OBJECT ID = CertificatePolicies (
    Sending alert: Alert Fatal: bad certificate
    Shutting down SSL layer...
    SSLException while handshaking: Peer certificate rejected by ChainVerifier
    Closing transport...



  • SAP NetWeaver Application Server Java all versions
  • AS Java as SSL client


SAP NetWeaver Application Server for Java all versions


handshake error, handshake fails, pki, certificate policy, certificate extensions   , KBA , BC-JAS-SEC-CPG , Cryptography , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.