Right. Sounds weird. I'll investigate. Might take some days tho... Dag
On 10.01.2013 21:20, Thomas Hill wrote: > yes, I did check the docs. My serverTrustStore was populated as described in > the > manual, i.e. > "Install a client certificate in the server's trust store: > > keytool -import -alias aDerbyClient -file aClient.cert > -keystore serverTrustStore.key" > > As said my expectation was installing just the certificate of the client(s) > would suffice (as per my use case 3a). And this way the set-up of the > serverTrustStore would be achieved the same way as and be consistent with how > this is done for the clientTrustStore (and as said my use case 2 below where > only the client requests peer Authentication works). But in case of the > serverTrustStore and the server requesting peerAuthentication this only works > after importing the CA certificate into the serverTrustStore as well - BUT!! > then *any* client certificate signed by this CA seems to work - even if the > client certificate is not part of the truststore. In fact it already works if > the CA certificate is the *only* certificate in the servertruststore. It is > unclear to me why the CA certificate needs to be imported into the truststore > - > imho this should not be necessary. > > >
