Sometimes when debugging SSL/TLS connection issues in Java JSSE debug logging may not be available because it requires a JVM restart and a change to JVM arguments. In such cases Java Flight Recorder (JFR) Security Events may be used. JFR Security Events are Java available in Java 12+, 11.0.5+ and 8u231+. To generate JFR events you need a configuration file like this one:
<?xml version="1.0" encoding="UTF-8"?>
<configuration version="2.0" label="TLS Debugging" description="JFR Events for TLS debugging" provider="marschall.github.io">
<event name="jdk.SecurityPropertyModification">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
<event name="jdk.TLSHandshake">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
<event name="jdk.X509Validation">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
<event name="jdk.X509Certificate">
<setting name="enabled">true</setting>
<setting name="stackTrace">true</setting>
</event>
</configuration>Analysis may not be very comfortable as the information available is limited.
So it may pay to create a page with all certificates, this way you can search by certificate id.
Extensions like SAN are not available so you may to to inspect the certificate with a different tool.
Demo code can be found under jfr-handshake.