CLIENT-CERT login does not work in intermediate elytron setup

1. Configure https in the server. 2. Create the certificate old security-domain and join to elytron intermediate config (users.jks is the keystore for valid client certs). /subsystem=security/security-domain=cert-security-domain:add(cache-type= default ) /subsystem=security/security-domain=cert-security-domain/jsse=classic:add(keystore={url= "${jboss.server.config.dir}/users.jks" , password= "XXXX" }) /subsystem=security/security-domain=cert-security-domain/authentication=classic:add(login-modules=[{code=Certificate, flag=required, module-options={password-stacking=useFirstPass, securityDomain=cert-security-domain}}]) /subsystem=security/elytron-realm=legacy-cert-realm:add(legacy-jaas-config=cert-security-domain) 3. Create the elytron domain and http factory using the legacy cert realm: /subsystem=elytron/security-domain=legacy-cert-domain:add(realms=[{realm=legacy-cert-realm}], default -realm=legacy-cert-realm, permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=legacy-cert-http:add(http-server-mechanism-factory=global, security-domain=legacy-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT}]) 4. Create the undertow domain: /subsystem=undertow/application-security-domain=legacy-cert-domain:add(http-authentication-factory=legacy-cert-http) 5. Set TRACE to org.jboss.security. /subsystem=logging/logger=org.jboss.security:add(category=org.jboss.security, level=TRACE) 6. Deploy an application with CLIENT-CERT login authorization and configure the jboss-web.xml to use the legacy-cert-domain . Check the error PBOX00054: Unable to obtain a X509Certificate from class org.wildfly.security.evidence.X509PeerCertificateChainEvidence .