Hi,

I do agree wildlfy has support for enabling SSL ad mutual SSL auth for client's via adding up a security realm with configured keystore, truststores and registering up the https listener.

I have configured trust store by adding just the root CA cert and it authenticates all client's having certificate signed via root CA.

In case a client holds possession of 2 cert's signed via the CA, he will be able to authenticate via importing either of them into his browser. For now, the subject name for client cert is client id.

The idea is that only the root CA would be in the truststore so I wouldn't have to add individual client certs to the truststore. It works like a charm for client cert's signed via the CA.. Each client is issued only a single cert and he won't be able to hold possession of any other valid client cert (issued to some other client) unless it is compromised.

Requirement is to authenticate a client it shouldn't just verify it's a valid client, but that it's the correct client, so needs to check that the cert is the one associated with the client and not any other valid client. Any suggestions or help on this and how can I proceed with it.