Hello.
I have setup Solr 6.1.0 to use SSL (on Windows) and to do client authentication based on the client certificate. When I use the same certificate for both the server and the client authentication, everything works OK : ---------------------------------------------------------------- ========== solr.in.cmd set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks set SOLR_SSL_KEY_STORE_PASSWORD=password set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks set SOLR_SSL_TRUST_STORE_PASSWORD=password set SOLR_SSL_NEED_CLIENT_AUTH=true set SOLR_SSL_WANT_CLIENT_AUTH=false REM (Client settings residing below are commented out.) ========== server\etc\jetty-ssl.xml <Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto re.jks"/></Set> <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password" default="password"/></Set> <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto re.jks"/></Set> <Set name="TrustStorePassword"><Property name="solr.jetty.truststore.password" default="password"/></Set> <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="true"/></Set> <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set> ========== This works : curl ^ --cert "solr-ssl.keystore.pem" ^ --cacert "solr-ssl.keystore.pem" ^ "https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json& indent=on" ---------------------------------------------------------------- However, when I try to use different server and client certificates, it doesn't work (it seems that it still uses the server certificate for client authorizations) : ---------------------------------------------------------------- ========== solr.in.cmd set SOLR_SSL_KEY_STORE=%ROO%/server/etc/solr-ssl.keystore.jks set SOLR_SSL_KEY_STORE_PASSWORD=password set SOLR_SSL_TRUST_STORE=%ROO%/server/etc/solr-ssl.keystore.jks set SOLR_SSL_TRUST_STORE_PASSWORD=password set SOLR_SSL_NEED_CLIENT_AUTH=true set SOLR_SSL_WANT_CLIENT_AUTH=false set SOLR_SSL_CLIENT_KEY_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks set SOLR_SSL_CLIENT_KEY_STORE_PASSWORD=password set SOLR_SSL_CLIENT_TRUST_STORE=%ROO%/server/etc/solr-ssl-client.keystore.jks set SOLR_SSL_CLIENT_TRUST_STORE_PASSWORD=password ========== server\etc\jetty-ssl.xml <Set name="KeyStorePath"><Property name="solr.jetty.keystore" default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto re.jks"/></Set> <Set name="KeyStorePassword"><Property name="solr.jetty.keystore.password" default="password"/></Set> <Set name="TrustStorePath"><Property name="solr.jetty.truststore" default="F:/Users/me/Downloads/SolrSOS/solr-6.1.0/server/etc/solr-ssl.keysto re.jks"/></Set> <Set name="TrustStorePassword"><Property name="solr.jetty.truststore.password" default="password"/></Set> <Set name="NeedClientAuth"><Property name="solr.jetty.ssl.needClientAuth" default="true"/></Set> <Set name="WantClientAuth"><Property name="solr.jetty.ssl.wantClientAuth" default="false"/></Set> ========== This fails (!!!): curl ^ --cert "solr-ssl-client.keystore.pem" ^ --cacert "solr-ssl.keystore.pem" ^ "https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json& indent=on" ========== This STILL works (!!!): curl ^ --cert "solr-ssl.keystore.pem" ^ --cacert "solr-ssl.keystore.pem" ^ "https://localhost:8898/solr/admin/collections?action=CLUSTERSTATUS&wt=json& indent=on" ---------------------------------------------------------------- I run Solr like this: "%ROO%\bin\solr" start -c -V -f -p 8898^ -Dsolr.ssl.checkPeerName=false >From what I can tell, Solr uses the values from ` server\etc\jetty-ssl.xml ` and totally discards the ones form `solr.in.cmd`. Naturally, I would try to set the client certificate inside there (jetty-ssl.xml), but I don't see any setting available for that. Is what I am trying to do (use different certificates for server and client authentication) supported or I waste my time? Also, why don't the docs say that jetty-ssl.xml overrides the settings in `solr.in.cmd`? Am I missing something? Thanks, Kostas