We are experiencing difficulties when creating a custom connector that has a requirement to call REST APIs using certificate authentication on TLS 1.2.

We're using JDK 8 currently on the connector server and the java client we've built is using restTemplate to call the APIs. We are able to connect when the server does not have the TLS requirement enabled, but when we enable it for testing the TLS handshake fails with the server logs indicating that we are not sending any certificates for them to consume for authentication, and the connector logs are showing a handshake error with "bad certificate."

We've worked with the team managing the endpoints to confirm that we have all of their certificates and chains in the appropriate keystore/truststore and all certificates should be valid.

Privileged Access Manager 4.1

This was not a problem with the custom connector framework. The web service required mutual authentication. The certificates that were being used on the client (custom connector) side were not capable of being a client authentication cert, only server authentication. 

After generating a new cert to explicitly allow use for client auth, the custom connector was able to complete the handshake successfully.