Unfortunately – it could be many things – and lots of app servers and other java ‘wrappers’ are prone to play with properties and their ‘own’ take on keychains and what not. So it may be looking at something totally different.
Short of truss-ing – I’d try:
java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
to see if that helps. Instead of ‘all’ one can also set it to ‘ssl’, key manager and trust manager – which may help in your case. Setting it to ‘help’ will list something like below on most platforms.
Regardless – do make sure you fully understand the difference between the keystore (in which you have the private key and cert you prove your own identity with) and the trust store (which determines who you trust) – and the fact that your own identity also has a ‘chain’ of trust to the root – which is separate from any chain to a root you need to figure out ‘who’ you trust.
all turn on all debugging ssl turn on ssl debugging The following can be used with ssl: record enable per-record tracing handshake print each handshake message keygen print key generation data session print session activity defaultctx print default SSL initialization sslctx print SSLContext tracing sessioncache print session cache tracing keymanager print key manager tracing trustmanager print trust manager tracing pluggability print pluggability tracing handshake debugging can be widened with: data hex dump of each handshake message verbose verbose handshake message printing record debugging can be widened with: plaintext hex dump of record plaintext packet print raw SSL/TLS packets