1. You must have the CA certificates installed on your client. That
   means in $JAVA_HOME/jre/lib/security/cacerts or in
   $JAVA_HOME/jre/lib/security/jssecacerts. The keystore with the
   Certificate Authority (CA) certificates MUST be in Sun's JKS format.
   (Readable with keytool by default).
   


2. 
   You must supply the keystore with the certificate and private key.
   This can be a JKS format keystore, or a PKCS12 file. The certificate
   must be an x509 compliant certificate signed by the proper CA
   certificate. Lastly, you MUST use a password that is 6 characters
   or more. This is an implementation bug in Sun's JSSE implementation,
   and forces you to have somewhat better security anyway.
   


3. 
   You must wrap the X509 Key Manager to use your keystore. In JSSE
   1.0.2 the class is com.sun.net.ssl.X509KeyManager.
   The version included with JDK1.4 changes the package to be
   javax.net.ssl. Below is the code snippet from Apache
   JMeter that performs the initialization of the SSL session.
   

        if (null == this.rand) {
            this.rand = new SecureRandom();
        }

        // this.defaultpw is the password for the user keystore.

        try {
            this.context = SSLContext.getInstance("TLS");
            KeyManagerFactory managerFactory = KeyManagerFactory.getInstance("SunX509");
            KeyStore keys = this.getKeyStore();
            managerFactory.init(keys, this.defaultpw.toCharArray());
            KeyManager[] managers = managerFactory.getKeyManagers();

            for (int i = 0; i < managers.length; i++) {
                if (managers[i] instanceof X509KeyManager) {
                    X509KeyManager manager = (X509KeyManager) managers[i];
                    managers[i] = new WrappedX509KeyManager(manager, keys, this.defaultpw);
                }
            }

            context.init(managers, null, this.rand);
            HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
        } catch (Exception e) {
        }