Reading up on this, this is my understanding for your case (peerAuthentication in both directions). When using CA signed certs for both sides, you should keep the CA certs in the trust stores, i.e.
Client keystore: Server keystore: client-key server-key client-cert server-cert Client truststore: Server truststore: server-ca-cert client-ca-cert Of course, server-ca and client-ca may be identical as in your example. where: * server-cert: the cert that the server presents to clients * server-key: the private key that corresponds to server-cert * server-ca-cert: the cert of the CA that signed server-cert * client-cert: the cert that the client presents to the server * client-key: the private key that corresponds to client-cert * client-ca-cert: the cert of the CA that signed client-cert It is true that this will allow secure connection of any client that has a cert signed by "client-ca-cert", but this is as it should be: the client is authenticated, the communication can proceed encrypted. Further authorization should be handled by the server. Hope this helps, Dag
