Setting up TLS mutual authentication fails according to the documentation

Generated server and client certificates according to the documentation: [](https://www.emqx.io/docs/zh/latest/network/tls-certificate.html)
In the console, the server certificate and root certificate have been configured, and client verification has been enabled.
![image](https://github.com/emqx/MQTT-Client-Examples/assets/8734941/ffce04a4-5386-4454-b9ec-7d2e6acc3745)
Using the MQTTX tool with the client certificate and root certificate configured, the connection is successful.
![image](https://github.com/emqx/MQTT-Client-Examples/assets/8734941/6513b8bb-3678-4dd8-a60c-5f7138ef1e25)
However, using the Java Paho client, the setup fails when following the example: [](https://github.com/emqx/MQTT-Client-Examples/blob/master/mqtt-client-Java/src/main/java/io/emqx/mqtt/SSLUtils.java)

`        Security.addProvider(new BouncyCastleProvider());

        // Load CA certificates
        KeyStore caKs = loadCAKeyStore(caCrtFile);

        // Load client certificate chain and key
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null, null);

        // Load the entire client certificate chain
        Certificate[] chain;
        try (FileInputStream fis = new FileInputStream(crtFile)) {
            CertificateFactory cf = CertificateFactory.getInstance("X509");
            Collection<? extends Certificate> certs = cf.generateCertificates(fis);
            chain = certs.toArray(new Certificate[0]);
        }

        // Load client private key
        try (PEMParser pemParser = new PEMParser(new FileReader(keyFile))) {
            Object object = pemParser.readObject();
            JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
            PrivateKey key = converter.getPrivateKey((PrivateKeyInfo) object);
            ks.setKeyEntry("private-key", key, password.toCharArray(), chain);
        }

        // Set up key managers and trust managers
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
        tmf.init(caKs);
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, password.toCharArray());

        // finally, create SSL socket factory
        SSLContext context = SSLContext.getInstance("TLSv1.2");
        context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        return context.getSocketFactory();`
I have repeatedly checked, and the certificate paths are correct.
Is there any way to handle this?

---
## Translated Screenshots

**Screenshot 1 Translation:**
Here's the translation of the Chinese text in the image:

*   **验证客户端证书**: Verify Client Certificate
*   **文件路径**: File Path
*   **重新**: Reload / Reset (This appears multiple times, likely as a button label for "Reload" or "Reset")
*   **SSL 版本**: SSL Version
*   **没有证书则 SSL 失败**: SSL fails without a certificate
*   **CA 证书深度**: CA Certificate Depth
*   **启用 OCSP Stapling**: Enable OCSP Stapling
*   **启用 CRL 检查**: Enable CRL Check
*   **密钥文件密码**: Key File Password

**Screenshot 2 Translation:**
测试环境 - Test Environment


---
*This issue was automatically translated from Chinese.*


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Setting up TLS mutual authentication fails according to the documentation #137

Translated Screenshots

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Setting up TLS mutual authentication fails according to the documentation #137

Description

Translated Screenshots

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions