SSL Certificates not working

mmarunbabu · February 24, 2026, 1:07pm

**HI Team,

We are getting below error while configuring the security admin. Versions** (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:

aster-0\] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: (certificate_unknown) Extended key usage does not permit use for TLS client authentication
javax.net.ssl.SSLHandshakeException: (certificate_unknown) Extended key usage does not permit use for TLS client authentication
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) \~\[?:?\]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376) \~\[?:?\]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319) \~\[?:?\]
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314) \~\[?:?\]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkClientCerts(CertificateMessage.java:1280) \~\[?:?\]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1184) \~\[?:?\]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1161) \~\[?:?\]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) \~\[?:?\]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) \~\[?:?\]

Configuration:

plugins:
  security:
  ssl:
    transport:
      pemcert_filepath: /usr/share/opensearch/config/certs/transport/admin.pem
      pemkey_filepath: /usr/share/opensearch/config/certs/transport/admin-key.pem
      pemtrustedcas_filepath: /usr/share/opensearch/config/certs/transport/root-ca.pem
      enforce_hostname_verification: false
    http:
      enabled: true
      pemcert_filepath: /usr/share/opensearch/config/certs/ap-mdm.pem
      pemkey_filepath: /usr/share/opensearch/config/certs/key.pem
      pemtrustedcas_filepath: /usr/share/opensearch/config/certs/ap-mdm.com.ca
      certificates_hot_reload:
         enabled: true
      allow_unsafe_democertificates: true
      allow_default_init_securityindex: true
    authcz:
      admin_dn:
      - CN=ap-mdm.com
      nodes_dn:
      - CN=https://opensearch-dev.ap-mdm.com,OU=IT,O=MIT,L=Chennai,ST=TN,C=IN

Relevant Logs or Screenshots:

oc exec opensearch-dev-cluster-master-0 -it – /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh -f /usr/share/opensearch/config/opensearch-security/internal_users.yml \
-t internalusers \
-icl \
-cacert /usr/share/opensearch/config/certs/ap-mdm.com.ca \
-cert /usr/share/opensearch/config/certs/ap-mdm.pem \
-key /usr/share/opensearch/config/certs/key.pem

Defaulted container “opensearch” out of: opensearch, fsgroup-volume (init), configfile (init)
Security Admin v7
Will connect to localhost:9200 … done
ERR: An unexpected IOException occured: Certificate for  doesn’t match any of the subject alternative names: \[\*.ap-mdm.com, ap-mdm.com\]
Trace:
java.io.IOException: Certificate for  doesn’t match any of the subject alternative names: \[\*.ap-mdm.com, ap-mdm.com\]
    at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:1348)
    at org.opensearch.client.RestClient.performRequest(RestClient.java:371)
    at org.opensearch.client.RestClient.performRequest(RestClient.java:359)
    at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:541)
    at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:154)

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for  doesn’t match any of the subject alternative names: \[\*.ap-mdm.com, ap-mdm.com\]
    at org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:170)
    at org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:128)
    at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
    at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
    at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.lambda$upgrade$1(AbstractClientTlsStrategy.java:168)
    at org.apache.hc.core5.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:431)
    at org.apache.hc.core5.reactor.ssl.SSLIOSession.access$100(SSLIOSession.java:74)
    at org.apache.hc.core5.reactor.ssl.SSLIOSession$1.outputReady(SSLIOSession.java:212)
    at org.apache.hc.core5.reactor.InternalDataChannel.onIOEvent(InternalDataChannel.java:153)
    at org.apache.hc.core5.reactor.InternalChannel.handleIOEvent(InternalChannel.java:51)
    at org.apache.hc.core5.reactor.SingleCoreIOReactor.processEvents(SingleCoreIOReactor.java:176)
    at org.apache.hc.core5.reactor.SingleCoreIOReactor.doExecute(SingleCoreIOReactor.java:125)
    at org.apache.hc.core5.reactor.AbstractSingleCoreIOReactor.execute(AbstractSingleCoreIOReactor.java:92)
    at org.apache.hc.core5.reactor.IOReactorWorker.run(IOReactorWorker.java:44)
    at java.base/java.lang.Thread.run(Thread.java:1447)

command terminated with exit code 255

Anthony · February 24, 2026, 4:26pm

@mmarunbabu The first thing that jumps out is you trying to use admin certificate for internal node-to-node communication:

pemcert_filepath: /usr/share/opensearch/config/certs/transport/admin.pem
pemkey_filepath: /usr/share/opensearch/config/certs/transport/admin-key.pem

Admin certificate should only be used with securityadmin.sh script or admin curl command for example, never for communication on the transport/http layer

The second part is different CAs (ap-mdm.com.ca and root-ca.pem), You probably using only one, which signs all of the certificates, including the admin cert. I would advise that you have a look at the OpenSearch TLS documentation, in particular section node_dn and admin_dn sections. This is where you configure which certificates are admin and which are node. Please also note that the same node certificates can be used for both transport and http later.

Hope this helps

mmarunbabu · February 25, 2026, 5:07am

the name we just used is admin, instead of node.pem, we used admin.pem.

Also we use ap-mdm.pem trusted certifcate from letsencrypt. admin.pem is self signed certificate.

mmarunbabu · February 25, 2026, 7:49am

If we use both node and admin certificate from letsencrypt we are getting below error

2026-02-20T07:45:47,151][ERROR][o.o.t.n.s.SecureNetty4Transport] [opensearch-dev-cluster-master-0] Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: (certificate_unknown) Extended key usage does not permit use for TLS client authentication
javax.net.ssl.SSLHandshakeException: (certificate_unknown) Extended key usage does not permit use for TLS client authentication.

The same is working previous version of opensearch 3.2.0.

Is there any changes from application side that we should use the certificate that has “TLS client authentication”

Topic		Replies	Views
Securityadmin errors with certificates Security security-issue	13	2590	May 15, 2023
SSL doesn't work OpenSearch	26	981	February 20, 2026
Certificate configuration Error Security troubleshoot , configure	5	2977	June 26, 2023
Opensearch security plugin enable error with securityadmin.sh Security	21	1415	February 9, 2024
Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException Security discuss , troubleshoot , configure	3	4721	May 21, 2024

SSL Certificates not working

Related topics