I had some issues setting up Mutual SSL on Tomcat 7.x where I just got a not very explaining error on my Java client, when connecting to Tomcat.I just got the Exception :

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

and when looking in the Tomcat logs setting loglevels to finest for org.apache I got the Exception in the log on the server :

Handshake failed: java.io.IOException: SSL handshake failed. Ciper suite in SSL Session is SSL_NULL_WITH_NULL_NULL

In my opinion not very explaining error messages, and I thought I had configured everything correctly on my Tomcat, but this wasn’t the case, so pay attention when setting up Mutual SSL on the tomcat, when your client certificates are signed by an unknown CA certificate.

Check your chain on your client certificate to see if it is signed by some CA that is not known in the general cacerts on you java installation, and if  not it’s a good idea to configure your tomcat to use its own truststore where you can add this certificate.

For example, I have this config now, where I just use the same keystore for tomcat as well as trusted certs :

<Connector port="8449" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS" 
               keystoreFile="${catalina.home}/conf/tomcat.keystore" keystorePass="changeit"
               trustoreFile="${catalina.home}/conf/tomcat.keystore" truststorePass="changeit" />

then when adding the client certificate start by adding the CA certificate, you should obtain this from the client certificate file if you have it there or obtain it from the CA issuer itself, so for example if you have the CA certificate as x509 certificate you can add this by using the command :

keytool -import -alias somecacert -keystore tomcat.keystore -file somecacert.cer

and then import the client certificate with :

keytool -import -alias clientcert -keystore tomcat.keystore -trustcacerts - file clientcert.cer

This will do the trick. You can off course also import the ca certificate to you java installations cacerts.