When the JWP certificate used to sign the Agent FT certificates, <AGENT>_ca.pem and <AGENT>.cert, is signed by a higher CA, the FT fails with this error:

20260203/105515.090 - U02000377 Certificate loaded from file '<AGENT_source>_ca.pem'.
20260203/105515.092 - U02000377 Certificate loaded from file '<AGENT_target>_ca.pem'.
20260203/105515.121 - U02000385 FT '5145029': Web socket error: 'SSL_HANDSHAKE_EXCEPTION'.
20260203/105515.121 -           IOException: javax.net.ssl.SSLHandshakeException: Path does not chain with any of the trust anchors
20260203/105515.122 -            -> SSLHandshakeException: Path does not chain with any of the trust anchors
20260203/105515.123 -            -> ExtendedCertificateException: Path does not chain with any of the trust anchors
20260203/105515.124 - U00000096 SSL Certificate validation error: '<AGENT_target>'.
20260203/105515.125 -           Root certificate details -> Issued To:'CN=<JWP>'   Issued By:'CN=<ROOT_CA>'   Valid to:'Mon Jan 01 00:00:00 CET 2029'   Serial:'620865999202001754412713117904271971695810094806'
20260203/105515.127 - U02000230 FT '5145029': Thread 'Thread[FT5145029,5,main]' ended.

This happens when:

• Step 1: creating your own JWP certificate using this method:
  https://broadcomcms-software.wolkenservicedesk.com/external/article?articleNumber=388493
• Step 2: signing the resulting certificate by a higher CA:
  • Take the JWP certificate from step 1 (myown.cer in the example of step 1) and create a CSR
  • Sign the CSR with a root CA and import the signed certificate back. Now your original cert is signed by a higher CA (Issuer changed).
  • Now you have to export private key public key and certificate chain again (as explained in the article in step 1)

v24.x

DE180794

Solution:

Update to a fix version listed below or a newer version if available.

Fix version:

Component(s): Automation Engine

Automation.Engine 24.4.5 - Planned release June 2026

Note that this used to work with the v21.0.x c-based Agent