You mentioned updating your trust store with the public cert provided by the client. However, kindly note that your trust store must contain at least the following keys and certificates :
- root CA private key
- root CA public key)
- client certificate signing request
- client certificate private key
- client certificate public key
With that being said there are multiple variants of errors which fall under the javax.net.ssl.SSLHandshakeException.
Depending on the additional information found in the error message, the answer will be different. Could I kindly ask that you provide the full error message from the client?
For example it would look something like this: "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
I would however, highly recommend ensuring and validating that the steps provided at  are correct as that would help isolate the issue.
Also, is it only a specific client having trouble connecting to your API? Or are other clients able to send requests to your API-GW successfully?
References:  https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
- asked 7 months ago
- asked 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a month ago
- How can I use a client certificate issued by a third party when configuring mutual TLS authentication for API Gateway APIs?AWS OFFICIALUpdated 3 months ago
- EXPERTpublished 3 days ago
- EXPERTpublished 5 months ago