There a couple of things that are wrong in your configuration.
Looking at your debugging logs, your certificate doesn't have the basic constraints to say CA=true.
[
Version: V1
Subject: CN=Ficticious bank, OU=SoE, O=University, L=London, ST=England, C=UK
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
Validity: [From: Wed May 07 19:21:23 BST 2014,
To: Thu May 07 19:21:23 BST 2015]
Issuer: CN=Ficticious bank, OU=SoE, O=University, L=London, ST=England, C=UK
SerialNumber: [ 9a7143cf f5ecfbf8]
]
Algorithm: [SHA1withRSA]
...
]
It's not going to work as a CA if it's not a CA certificate. See RFC 3280 (and 5280):
This extension MUST appear as a critical extension in all CA certificates that contain public keys used to validate digital signatures on certificates.
Secondly, this certificate, which you also want to use as an End-Entity Certificate (EEC) for your server doesn't have a valid name for that server: no Subject Alternative Name and a CN that visibly doesn't match any host name. While the default SSLSocket
doesn't do any hostname verification by default (you can configure it), it's useful to have a valid host name for a server certificate, since clients should really verify it in principle.
Overall, there doesn't seem to be many benefits in using the very same certificate for the CA and the server certificate. Self-signed certificates are mainly useful when used on their own. If you're planning to use it as a CA certificate too, you might as well separate the CA certificate and the server certificate. It will certainly be useful in the long run, in particular when you have to change the server cert, on "Thu May 07 19:21:23 BST 2015" in your example, or if perhaps you need to re-issue the server cert for any other reason.
Beside this, you have the right idea for your keystore and truststore:
Client:
Keystore:
- Client private key and certificate chain in the same entry (but the CA certificate itself can be omitted).
Truststore:
- CA certificate(s) that can validate the server cert.
Server
Keystore:
- Server private key and certificate chain in the same entry (but the CA certificate itself can be omitted).
Truststore:
- CA certificate(s) that can validate the client certs.