Our security department rejected the use of provided CA ssl configuration shipped with RA servers. We have to replace with our own. Think this will be the case for most clients
Documentation in installation guide is quite clear, although sometimes uncomplete.
Successfully managed to do it for clients connecting to NAC UI (tomcat NAC server.xml modifications) and Automation Studio jnlp (signing custom truststore jar with public certificate)
However, impossible to be successful for NAC to NES secure communication.
Did everything correct, using your installation guide and tomcat SSL how tos.
For NAC have
* A keystore correctly configured with NAC Certificate/Private key combo
* A truststore with NES public certificate
For NES got the opposite :
* A keystore correcly configured with NES Certificate/Private key combo
* A truststore with NAC public certificate
Both HTTPS and ActiveMQ communications are correctly configures in tomcat configuration files.
However, still have PKIX errors and don't have many more informations inside either NAC or NES logs.
Any of log files, either NAC or NES, does provide additional useful information about WHY this is failing, even in *_all.log files which contains all the debug statements for the servers.
More informations and more details shall be available about this security need.
To figure out the PKIX errors, a solution might to import CARoot into NAC's cacerts keystore
keytool -import -alias nolio -file ca.crt -keystore <NAC Installation Folder>/jre/lib/security/cacerts