yes, I did check the docs. My serverTrustStore was populated as described in the
manual, i.e.
"Install a client certificate in the server's trust store:
keytool -import -alias aDerbyClient -file aClient.cert
-keystore serverTrustStore.key"
As said my expectation was installing just the certificate of the client(s)
would suffice (as per my use case 3a). And this way the set-up of the
serverTrustStore would be achieved the same way as and be consistent with how
this is done for the clientTrustStore (and as said my use case 2 below where
only the client requests peer Authentication works). But in case of the
serverTrustStore and the server requesting peerAuthentication this only works
after importing the CA certificate into the serverTrustStore as well - BUT!!
then *any* client certificate signed by this CA seems to work - even if the
client certificate is not part of the truststore. In fact it already works if
the CA certificate is the *only* certificate in the servertruststore. It is
unclear to me why the CA certificate needs to be imported into the truststore -
imho this should not be necessary.
