SAP Knowledge Base Article - Preview

3139964 - PI/PO - REST Adapter - Peer certificate rejected by ChainVerifier


While sending message from PO/PO system to external server by REST Adapter, you are facing following errors which can be found from XPI Inspector traces.

Sun Nov 28 13:58:23 AST 2021 Message processing failed. Cause: Peer certificate rejected by ChainVerifier
Sun Nov 28 13:58:23 AST 2021 Error while processing outbound message. Peer certificate rejected by ChainVerifier: Peer certificate rejected by ChainVerifier

Found Certificate chain with 4 elements:
Certificate: #0
    IssuerDN: CN=XX,OU=XX,O=XX,C=US

Begin IAIK Examination:
  ERROR:     The default IAIK chain verifier does not trust this chain!
End IAIK Examination.

Catching Error retrieving certificates:
Caused by: java.lang.NullPointerException: CertificateChain and PrivateKey must not be null!
... 103 more

Begin IAIK Debug:
ssl_debug(13812): Starting handshake (iSaSiLk 5.2)...
ssl_debug(13812): Sending v3 client_hello message to, requesting version 3.3...
ssl_debug(13812): Sending extensions: elliptic_curves (10), renegotiation_info (65281), signature_algorithms (13), server_name (0), ec_point_formats (11)
ssl_debug(13812): Received v3 server_hello handshake message.
ssl_debug(13812): Server selected SSL version 3.3.
ssl_debug(13812): Server created new session 42:B7:4A:15:AB:81:BD:85...
ssl_debug(13812): CipherSuite selected by server: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ssl_debug(13812): ChainVerifier: No trusted certificate found, rejected.
ssl_debug(13812): Received server_key_exchange handshake message.
ssl_debug(13812): Verifying SHA512withRSA signature of server_key_exchange message...
ssl_debug(13812): Server sent a secp256r1 ECDH key.
ssl_debug(13812): Received server_hello_done handshake message.
ssl_debug(13812): Sending client_key_exchange handshake (secp256r1 ECDH)...
ssl_debug(13812): Sending change_cipher_spec message...
ssl_debug(13812): Sending finished message...
ssl_debug(13812): Received change_cipher_spec message.
ssl_debug(13812): Received finished message.
ssl_debug(13812): Session added to session cache.
ssl_debug(13812): Handshake completed, statistics:
ssl_debug(13812): Read 5498 bytes in 6 records, wrote 314 bytes in 4 records.
ssl_debug(13812): Shutting down SSL layer...
ssl_debug(13812): Sending alert: Alert Warning: close notify
ssl_debug(13812): Read 0 bytes in 0 records, 0 bytes net, 0 average.
ssl_debug(13812): Wrote 0 bytes in 0 records, 0 bytes net, 0 average.
ssl_debug(13812): Closing transport...
ssl_debug(13812): Closing transport...

End IAIK Debug.

Per ssl_debug traces above, we can see "ChainVerifier: No trusted certificate found, rejected". The target external server to which PO system is trying to connect by REST receiver channel is []. However, the certificate shows you "" which is different from target server name. You have already imported the correct and whole certificate chain in TrustedCAs, configured the same in REST receiver channel. However, the message processing seems still to select incorrect certificate [SubjectDN:, IssuerDN: CN=XX,OU=XX,O=XX,C=US] which is not existing at all on PO system. It's not working even though customer do a dummy change and perform CPACache refresh.



  • SAP NetWeaver
  • SAP Process Integration


SAP NetWeaver all versions ; SAP Process Integration all versions


Process Integration, PI, Process Orchestration, PO, NetWeaver, XI, AEX, SSLCertificateException, Peer certificate rejected by ChainVerifier, GeneralSecurityException, Error retrieving certificates, CertificateChain and PrivateKey must not be null , KBA , BC-XI-CON-RST , Rest Adapter , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.