Hi @christopherlecky
Great question!
You mention a self-signed certificate in the post title.
When a client (in the case the workflow engine) requests an https resource, the process checks the validity of the certificate chain on the target resource with a built-in set of root CA certificates.
In Windows, it’s simple to check the root CA certificates in Certificate Manager.
I suspect a java process is performing the lookup, using the built-in “cacerts” certificate store and if the target resource has a self-signed or internal CA signed certificate, Java can’t complete the certificate chain without a root CA certificate.
Assuming this is correct, it’s a relatively simple task to import/add a new root or intermediate CA certificate into cacerts keystore using the Java command line keytool.
Java - Import the Certificate as a Trusted Certificate
If you check the Java install location and run the following command in the JAVA_HOME\jre\lib\security\cacerts location, you can import trusted root CA certificates into the cacerts keystore.
keytool -import -alias xyz-RootCA -file xyzRootCA.cer -keystore cacerts
Where xyz-RootCA is your internal root CA alias and xyzRootCA.cer is the exported certificate.
This may not work with a self-signed certificate as there won’t be a trusted root CA, but try importing the certificate and let me know.
The trouble with this process is unlike a web browser with “I know the risks, proceed anyway” option, these process driven requests don’t have an override option available that I’m aware of, so you may need to provide a signed certificate (even with an internal CA) and run the procedure above.
Let me know how you get on.
Thanks,
Stuart