Server has clients public certificate but it also has additional serverkey1. This keys public certificate is not imported in clients store. Hence client auth fails as server sends the certficate for serverkey1. Since the key selection is based upon the hashcodes of the keys, the keys will not be predictably picked.
More...
Server has clients public certificate but it also has additional serverkey1. This keys public certificate is not imported in clients store. Hence client auth fails as server sends the certficate for serverkey1. Since the key selection is based upon the hashcodes of the keys, the keys will not be predictably picked.
Setup
Generate the Client and Server Keystores
-
keytool -genkeypair -alias serverkey -keyalg RSA -dname "CN=localhost,OU=Organization Unit,O=Organization,L=City,S=State,C=IN" -keypass password -keystore serverkeystore.jks -storepass password
-
keytool -genkeypair -alias clientkey -keyalg RSA -dname "CN=localhost,OU=Organization Unit,O=Organization,L=City,S=State,C=IN" -keypass password -storepass password -keystore clientkeystore.jks
Install the client's public certificate in to the server's keystore
-
keytool -exportcert -alias clientkey -file client-public.cer -keystore clientkeystore.jks -storepass password
-
keytool -importcert -keystore serverkeystore.jks -alias clientcert -file client-public.cer -storepass password -noprompt
Export the Server's Public Certificate and Import it in to the client's Keystore
-
keytool -exportcert -alias serverkey -file server-public.cer -keystore serverkeystore.jks -storepass password
-
keytool -importcert -keystore clientkeystore.jks -alias servercert -file server-public.cer -storepass password -noprompt
Generate a new alias serverkey1
-
keytool -genkeypair -alias serverkey1 -keyalg RSA -dname "CN=localhost,OU=Organization Unit,O=Organization,L=City,S=State,C=IN" -keypass password -keystore serverkeystore.jks -storepass password
-
Do not import the public certificate corresponding to serverkey1 into client's keystore.
Check keystore contents
-
keytool -list -keystore serverkeystore.jks -storepass password
-
keytool -list -v -keystore serverkeystore.jks -storepass password -alias serverkey1
-
keytool -list -v -keystore clientkeystore.jks -storepass password -alias clientkey
1.8.9.1
