Wireshark and also java setting "-Djava.net.debug=all" where used to view the SSL/TLS handshake.
The deal with the newly added CA cert, is that it has "Sign Client" enabled - prior to that they did not have any certs with "Sign Client" enabled.
With that one cert with "Sign Client" enabled - the gateway sends the SSL ServerHello response back to the client with client-cert request part like this :
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=*<Server Name><Domain>, O="Broadcom, Inc.", L=San Jose, ST=California, C=US>
Previously (with no certs enabled for "Sign Client") the request looked like this:
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<Empty List>
And for the fix (for one app anyway) we added the issuer of their cert -so have two certs marked as "Sign Client" and they get :
Cert Types: RSA, DSS, ECDSACert Authorities:
<CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US>
<CN=*<Server Name><Domain>, O="Broadcom, Inc.", L=San Jose, ST=California, C=US>
Now, what the client program does with that client-cert-request part in the ServerHello is up to the client program - browsers will often use that list to determine which certificates are valid and pop up a list to let you choose one.
Some clients (RestMan, SSG Policy Manager) ignore it and just send whatever cert you selected to send with that URL.
They are using java SpringClient - which uses the normal java code, which uses that list to filter for valid certificates :
So :
a) When there is No DN names,
The client seems it is happy to send any client cert (ie this is working - as per the original setup).
b) When there is just one not-matching cert :
c) When we put in two client certs as "Sign Client" :