I'm trying to create a java SSL socket server application that a few java SSL socket client applications will connect to. To guarantee the trustworthiness of both communication partners,
(1) the server should only accept a client connection if the client's certificate was signed with the server's private key
(2) the client should only communicate to the server if the server's certificate is contained in the client's trusted store.
Because I'm totally new to JSSE, I only managed the client application to connect to the server solely if its certificate is contained in the client's trusted store (condition 2). However, I have no clue how to achieve my 1st condition...
I would be grateful for every kind of help.
Best regards, Galveston01
If I understand your question correctly, what you're asking is how to enable two way SSL/TLS. This requires the client to validate the server cert (point 2 in your question) AND the server to validate the client cert - known as client authentication (point 1).
It sounds like you have got "regular" one way TLS working. I'm assuming that you've created and signed the server cert yourself (aka self signed cert) and this is why you have to import the server cert itself into the client truststore - there are no CA root/intermediate certs that have been used to sign it with.
To enable client authentication (point 1) you need to do two things:
Ensure that the client certificate is in the server's truststore (as before, if this was not a self signed cert, then you would need to import the root/intermediate certs into the server truststore, no need to import the cert itself). Since you've already been through this process on the client side it should pose no problems.
Configure JSSE on the server to enable client side auth. To do this you'll need to set the following property:
SSLServerSocket.setNeedClientAuth(true)
Assuming that the truststore on the server contains your self signed client cert and the truststore on the client contains your self signed server cert then this should work.
If you are not using self signed certs but infact have access to test CA or are using genuinely signed cert ( no reason not to with letsencrypt) then you might want to look at the answers and comments to these SO questions:
client not sending certificate for client authentication in TLS