I have a web application on Apache Tomcat server A. This webapp makes connection to a server B running somewhere else. This server B requires client authentication with SSL certificate.

What I am trying to achieve is, to make this web application on server A to use SSL client certificate to authenticate on server B.

Therefore I have provided some additional JAVA_OPTS for my Tomcat Server A:

    -Djavax.net.ssl.trustStore=/location/keystore.jks 
    -Djavax.net.ssl.trustStorePassword=changeit 
    -Djavax.net.ssl.keyStore=/locaton/keystore.jks 
    -Djavax.net.ssl.keyStorePassword=changeit 
    -Djavax.net.debug=ssl

Now this keystore.jks contains three certificates:

• CA certificate
• Server certificate (PKCS12) This is certificate of server A
• Client certificate (PKCS12) this is the client certificate I want my webapp to use.

tomcat/logs/catalina.out gives this:

Client write key:
0000: some hex
Server write key:
0000:some hex
... no IV used for this cipher
*** CertificateVerify
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 134
pool-1-thread-2, WRITE: TLSv1 Change Cipher Spec, length = 1
Finished
verify_data:  { data }

pool-1-thread-2, WRITE: TLSv1 Handshake, length = 32
pool-1-thread-2, READ: TLSv1 Alert, length = 2
pool-1-thread-2, RECV TLSv1 ALERT:  fatal, unsupported_certificate
pool-1-thread-2, called closeSocket()
pool-1-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
pool-1-thread-2, called close()

In order to prove the correctness of this keystore I have written a tiny java application which makes connection to the same server B with the same keystore and it successfully negotiates client certificate.

I have tried to change this client certificate to X509 type, but even then I am getting errors and am not able to communicate.

I thought maybe there is something I am missing? Does somebody have experience with this kind of stuff?

Thank you