Kyle - The CN should be either the DNS-resolvable host name of the Riak node, or its IP address (without "riak@"). Then, the Java client should be configured to use that to connect to the node (either DNS or IP). Without doing that, I really don't have any idea how the Java client is validating the server certificate during TLS handshake. Did you configure the client to *not* validate the server cert?
-- Luke Bakken Engineer lbak...@basho.com On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle <kyle.ngu...@philips.com> wrote: > Hi Luke, > > The CN for client's certificate is "kyle" and the CN for riak cert > (ssl.certfile) is "riak@127.0.0.1" which matches the nodename in the > riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I > used to sign both client and riak public keys. It appears that riak also > validated the client certificate following this SSL debug info. I do see *** > CertificateVerify (toward the end) after the client certificate is requested > by Riak. Please let me know if it looks right to you. _______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com