Schema Registry : Bad certificate error

Hi everyone,

I am getting a bad certificate error (javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate) when my Kafka Producer bootstraps and try to register the schema with Schema Registry server using HTTPS. I have configured the producer factory correctly with all the relevant properties required for using schema registry. Below is the error stack trace:

=2022-06-21 13:43:11,100 ERROR [main] i.c.k.s.c.r.RestService - Failed to send HTTP request to endpoint: https://<schema-registry-server-hostname>:8082/subjects/topicName-value/versions?normalize=false
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
        at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getOutputStream(HttpsURLConnectionOldImpl.java:229)
        at io.confluent.kafka.schemaregistry.client.rest.RestService.sendHttpRequest(RestService.java:268)
        at io.confluent.kafka.schemaregistry.client.rest.RestService.httpRequest(RestService.java:367)
        at io.confluent.kafka.schemaregistry.client.rest.RestService.registerSchema(RestService.java:544)
        at io.confluent.kafka.schemaregistry.client.rest.RestService.registerSchema(RestService.java:532)
        at io.confluent.kafka.schemaregistry.client.rest.RestService.registerSchema(RestService.java:490)
        at io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient.registerAndGetId(CachedSchemaRegistryClient.java:257)
        at io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient.register(CachedSchemaRegistryClient.java:366)
        at io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient.register(CachedSchemaRegistryClient.java:337)
        at io.confluent.kafka.serializers.AbstractKafkaAvroSerializer.serializeImpl(AbstractKafkaAvroSerializer.java:115)
        at io.confluent.kafka.serializers.KafkaAvroSerializer.serialize(KafkaAvroSerializer.java:61)
        at org.apache.kafka.common.serialization.Serializer.serialize(Serializer.java:62)
        at org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:926)
        at org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:886)
        at org.springframework.kafka.core.DefaultKafkaProducerFactory$CloseSafeProducer.send(DefaultKafkaProducerFactory.java:864)
        at org.springframework.kafka.core.KafkaTemplate.doSend(KafkaTemplate.java:580)
        at org.springframework.kafka.core.KafkaTemplate.send(KafkaTemplate.java:419)

Below is configuration related to schema registry:-

KafkaAvroSerializerConfig values:
        auto.register.schemas = true
        avro.reflection.allow.null = false
        avro.remove.java.properties = false
        avro.use.logical.type.converters = false
        basic.auth.credentials.source = URL
        basic.auth.user.info = [hidden]
        bearer.auth.credentials.source = STATIC_TOKEN
        bearer.auth.token = [hidden]
        context.name.strategy = class io.confluent.kafka.serializers.context.NullContextNameStrategy
        id.compatibility.strict = true
        key.subject.name.strategy = class io.confluent.kafka.serializers.subject.TopicNameStrategy
        latest.compatibility.strict = true
        max.schemas.per.subject = 1000
        normalize.schemas = false
        proxy.host =
        proxy.port = -1
        schema.reflection = false
        schema.registry.basic.auth.user.info = [hidden]
        schema.registry.ssl.cipher.suites = null
        schema.registry.ssl.enabled.protocols = [TLSv1.2]
        schema.registry.ssl.endpoint.identification.algorithm = https
        schema.registry.ssl.engine.factory.class = null
        schema.registry.ssl.key.password = [hidden]
        schema.registry.ssl.keymanager.algorithm = SunX509
        schema.registry.ssl.keystore.certificate.chain = null
        schema.registry.ssl.keystore.key = null
        schema.registry.ssl.keystore.location = /location/keystore.jks
        schema.registry.ssl.keystore.password = [hidden]
        schema.registry.ssl.keystore.type = JKS
        schema.registry.ssl.protocol = TLSv1.2
        schema.registry.ssl.provider = null
        schema.registry.ssl.secure.random.implementation = null
        schema.registry.ssl.trustmanager.algorithm = PKIX
        schema.registry.ssl.truststore.certificates = null
        schema.registry.ssl.truststore.location = /location/keystore.jks
        schema.registry.ssl.truststore.password = [hidden]
        schema.registry.ssl.truststore.type = JKS
        schema.registry.url = [https://<schema-registry-server-host-1>:8082, https://<schema-registry-server-host-2>:8082]
        use.latest.version = false
        use.schema.id = -1
        value.subject.name.strategy = class io.confluent.kafka.serializers.subject.TopicNameStrategy

One thing I want to highlight is that my application uses a custom keystore and at runtime it creates a system property javax.net.ssl.trustStore and assign the location of the keystore to this system property. I have imported the schema registry related certificate in the keystore but still I am getting the same error as shared above.

Please let me know if I am missing something.

Thanks.