Using curl command to test connection to cms.netwitness.com, curl error code 60 is thrown out - Peer certificate cannot be authenticated with known CA certificate. Below is sample curl command output:
# curl -v https://<useraccount>:<password>@cms.netwitness.com:443
* About to connect() to cms.netwitness.com port 443 (#0)
* Trying 126.96.36.199... connected
* Connected to cms.netwitness.com (188.8.131.52) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* Certificate is signed by an untrusted issuer: 'Eemail@example.com,CN=TD Bank Group Internal Browsing,OU=TRMIS,O=TD Bank Group,L=Toronto,ST=Ontario,C=CA'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
The curl command performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
It is possible to turn off curl's verification of the certificate, using the -k (or --insecure) option.
Customer certificate is used for SA and needs to be imported to /etc/pki/java/caerts for the connection to work.
1. Connect to the SA Server via ssh and export the certificates using the openssl command: