As this is high on the Google search results for "jboss WS Client Mutual Certificate" and doesn't have a posted resolution, I thought I'd post what I did to get everything working.
The basic principle here is that BOTH the Web Service (WS) and the Web Service Client (WS-C) need to have the other's key stored as "trusted". Specifically, the following needs to be set ON BOTH SIDES:
-Djavax.net.ssl.trustStore=/home/dev/.truststore
-Djavax.net.ssl.trustStorePassword=changeit
Now, both sides also need their own keystore. The key of WS needs to be trusted by WS-C and vice-versa. Set the following ON BOTH SIDES:
-Djavax.net.ssl.keyStore=/home/dev/.keystore
-Djavax.net.ssl.keyStorePassword=changeit
To get something up and running quickly, use the same keystore and truststore on both sides ... even simpler, you can create a new keystore and simply copy the output file to also become the truststore:
$JAVA_HOME/bin/keytool -genkey -alias jboss -keyalg RSA
cp .keystore .truststore
You can also do an explicit import to load a key into a truststore:
keytool -import -alias jboss -file certificate -storepass changeit -keystore .truststore
This all worked for me. If possible, please provide feedback on gotchas or success stories relating to the above.
All the best,
Richard