Need help with Riak-KV (2.1.4) certificate based authentication using Java client

Luke Bakken lbakken at
Tue Aug 30 10:13:42 EDT 2016

Kyle -

The CN should be either the DNS-resolvable host name of the Riak node,
or its IP address (without "riak@"). Then, the Java client should be
configured to use that to connect to the node (either DNS or IP).
Without doing that, I really don't have any idea how the Java client
is validating the server certificate during TLS handshake. Did you
configure the client to *not* validate the server cert?

Luke Bakken
lbakken at

On Mon, Aug 29, 2016 at 3:18 PM, Nguyen, Kyle <kyle.nguyen at> wrote:
> Hi Luke,
> The CN for client's certificate is "kyle" and the CN for riak cert (ssl.certfile) is "riak at" which matches the nodename in the riak.conf. Riak ssl.cacertfile.pem contains the same CA (getACert) which I used to sign both client and riak public keys. It appears that riak also validated the client certificate following this SSL debug info. I do see *** CertificateVerify (toward the end) after the client certificate is requested by Riak. Please let me know if it looks right to you.

More information about the riak-users mailing list