[jboss-user] [Security & JAAS/JBoss] - Two-way SSL, which certificate does the client send?

fthurber do-not-reply at jboss.com
Thu Apr 9 13:38:53 EDT 2009

I have two JBoss servers running our application, connected by https, and I have a question about client certificates, one is a client and the other a server.  However when I turned on clientAuth (and CLIENT-CERT), the client JBoss does not seem to send the correct certificate.  I get this error:

SSLHandshakeException: Received fatal alert: bad_certificate

I have checked the truststores on both JBoss servers, and they seem to be loaded correctly, etc.  The trust and identity stores are set up in the usual JBoss fashion and named Identity.jks and Truststore.jks.

However I am wondering which certificate the client actually sends when the server asks for the client cert.  I would think that it would sent my self-signed cert in Identity.jks, but now I am not sure it does.  

Does my client code know enough to find the cert in Identity.jks or do I need to explicitly set the javax.net.ssl.keyStore system property?  I tried doing this in the JAVA_ARGS in the run.sh, but there were dire consequences.  Do I need to do this in my application code?

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4224769#4224769

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4224769

More information about the jboss-user mailing list