I've been working on a client API using QuickFIX and I'm planning to use SSL and certificate based authentication. I generated self signed certificates for acceptor and initiator the following way:

1) Generate and export server/acceptor certificate:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -keystore server.jks
keytool -export -alias server -file server.cer -keystore server.jks

2) Generate and export client/initiator certificate:

keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -keystore client.jks
keytool -export -alias client -file client.cer -keystore client.jks

3) Import server/acceptor certificate to client keystore:

keytool -import -v -trustcacerts -alias server -file server.cer -keystore client.jks

4) Import client/initiator certificate to server/acceptor keystore:

keytool -import -v -trustcacerts -alias client -file client.cer -keystore server.jks

Acceptor config:

SocketUseSSL=Y
SocketKeyStore=server.jks
SocketKeyStorePassword=password

Initiator config:

SocketUseSSL=Y
SocketKeyStore=client.jks
SocketKeyStorePassword=password

Everything seems to work fine and data is getting encrypted. However, if I remove the initiator's client.jks keystore file, I will get a QuickFIX log entry saying "client.jks: keystore not found, using empty keystore". Strange thing, the initiator is still able to connect and establish a valid FIX session. I would expected the connection to be dropped immediately since no valid certificate is provided. Am I missing something?

The client certificate is not required by default, you must set this: NeedClientAuth=Y