Chrome e IE não aceitando certificado de cliente

Eu tenho dois sites em diferentes hosts protegidos pelo mesmo certificado SSL, um Apache2, um JBOSS.

Meu processo:

1. Criado uma CA privada.
2. criou um novo certificado e o assinou com a CA.
3. Converteu o certificado para o formato PKCS12.
4. Importou o certificado PKCS12 para um JKS (porque é isso que JBOSS gosta).

Eu instalei o certificado do cliente e o certificado da CA em todos os navegadores. (Instalar o certificado de CA não é necessário, mas se livrar do ícone Vermelho / Perigo no URL.)

Ubuntu 14.04

• O Firefox on permite acessar os dois sites usando o certificado de cliente.
• O Chrome me permite acessar o site do Apache2, mas apresenta um erro no site do JBOSS: ERR_BAD_SSL_CLIENT_AUTH_CERT

Windows 7

Chrome, Firefox e amp; IE todos me deixam acessar o site do Apache2, nenhum deles me deixa acessar o site do JBOSS.

• Firefox: ssl_error_bad_cert_alert
• Chrome: ERR_BAD_SSL_CLIENT_AUTH_CERT
• IE: This page can't be displayed

O certificado & certs raiz são ambos atuais, apenas não podem ser verificados.

Alguém tem uma teoria / solução?

Algumas saídas de linha de comando openssl editadas, caso isso ajude:

$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--- 
Certificate chain
 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
   i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected]
verify return:1
139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46
139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--- 
Certificate chain
 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
   i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected]
issuer=/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected]
---
Acceptable client certificate CA names
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected]
/C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected]
---
SSL handshake has read 2028 bytes and written 2356 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    Session-ID-ctx:
    Master-Key: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1429133346
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---