


I have this code to connect the server with a client using SSL, and now I want to add client-side authentication:


(I have a server keystore (JCEKS type) and a client keystore (JKS type), the server uses a truststore (cacerts) where I imported both certificates because I also want to use this truststore for client authentication)


System.setProperty("", cerServer);
System.setProperty("", pwdCacerts);

SSLSocketFactory sslsocketfactory = (SSLSocketFactory)  SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", port);


KeyStore ks = LoadKeyStore(new File(serverKeyStore), pwdKeyStore, "JCEKS");
KeyManagerFactory kmf; 
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, pwdKeyStore.toCharArray());

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(kmf.getKeyManagers(),null, null);   

SSLServerSocketFactory ssf = sc.getServerSocketFactory(); 
sslserversocket = (SSLServerSocket) ssf.createServerSocket(port);



edit: I add this code in the server side:

System.setProperty("", cacerts);
System.setProperty("", pwdCacerts);


but if I delete the client certificate in cacerts, the connection doesn't give me error and for that I think it's wrong that way


If you want your system to use client-certificate authentication, you'll need

  • 服务器请求(或要求)客户端证书.这是通过在服务器套接字上分别设置setWantClientAuth(true)(或分别为setNeedClientAuth)来完成的.您还需要服务器公布它接受的CA,通常通过使用服务器上的信任库来完成,该信任库包含颁发客户端证书链的CA(这似乎是您通过设置*在服务器上).

  • the server to request (or require) a client certificate. This is done by setting setWantClientAuth(true) on the server socket (or setNeedClientAuth, respectively). You'll also need the server to advertise the CA it accepts, which is normally done by using a truststore on the server that contains the CA by which the client-certificate chain was issued (this seems to be what you've done by setting* on the server).


the client to be configured with a keystore containing the client certificate (possible the chain if there are intermediate CAs) and its private key. This can be done by setting the* (which may affect other connections) or by using a KeyManagerFactory in the same way as you've done it on the server side.


If you use setWantClientAuth(true), you might still not get an error, since the server will accept connections that don't have a client-certificate (the server would then check the SSLSession's peer certificates to see whether there was a cert or not). setNeedClientAuth(true) would break the connection when the client doesn't present a certificate.