The Jolokia process uses the caCert parameter to determine which client certificates are trusted for client authentication. Jolokia expects a single cert in the following location:

$ oc rsh $APP_POD cat /opt/jolokia/etc/jolokia.properties | egrep "useSsl|caCert"
useSslClientAuthentication=true
caCert=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

If multiple CA certs are present in that location, and the signer of the Fuse Console client cert is not first in the list, client authentication will fail with a PKIX path building error. The expected CA cert is the service serving signer cert:

$ oc exec $APP_POD -- cat /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt | openssl x509 -text -noout | grep Issuer
Issuer: CN = openshift-service-serving-signer@1636040859

In some cases, multiple certs are present and Jolokia only trusts the first in the list, for example:

 Issuer:  CN=kube-apiserver-lb-signer, OU=openshift