I am using HttpClient 4.2.3 on Java 1.7 to connect to a remote server hosted by nginx. My organization makes extensive use of PKI, and both the remote and the client have certificates issued by a common CA.
The server has a signature chain, for example:
CN = Server 123, OU = Servers, OU = My Division, O = My Org, C = US
CN = My Division CA, OU = My Division, O = My Org, C = US
CN = My Org CA, O = My Org, C = US
And the client has a signature chain, as shown below:
CN = Client 456, OU = Servers, OU = My Division, O = My Org, C = US
CN = My Division CA, OU = My Division, O = My Org, C = US
CN = My Org CA, O = My Org, C = US
For some reason, the client does not provide its certificate to the server. The server is configured correctly (e.g. curl with --cert, --key and --cacert). The client has its own certificate, private key and signature in the keystore, as well as certificates "My CA department" and "My Org CA" (including) in its trust store. When debugging SSL, I can successfully verify that the keystore and trust stores are loading. The client can connect to other servers that request certificates correctly. However, when I try to connect to "Server 123", I see the following:
*** ServerHello, TLSv1
...
** TLS_RSA_WITH_AES_256_CBC_SHA
...
*** Certificate chain
...
***
Found trusted certificate:
...
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN = My Division CA, OU = My Division, O = My Org, C = US>
<CN = My Org CA, O = My Org, C = US>
<CN=Some Other CA, OU=Some Division, O=My Org, C=US>
...
*** ServerHelloDone
...
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
...
HTTP/1.1 400 Bad Request
...
No required SSL certificate was sent
...
, .
( ), . SSL-, .