When Alex asks about your proxy, he actually means the front-end proxy for XNAT, which is your Apache HTTPD server: requests come into Apache HTTPD from outside, are routed to the Tomcat server on which your XNAT is deployed, which responds back to the front-end proxy, which then relays the response back to the client.
Re: your questions:
- Are we in the right track here? Yes, absolutely. This is the problem.
- Are any additional configuration changes to be made to tell the source XNAT to use these certificates? No. XNAT doesn’t know anything about certificates. You can do SSL termination (i.e. the encrypt/decrypt operations) in Tomcat or a front-end proxy like nginx or (in your case) Apache HTTPD, but XNAT has nothing to do with that.
The reason your curl call worked with the -k option is because that option tells curl explicitly to ignore verification issues with SSL certificates.
You mentioned that your Apache configuration "has the correct entries for the .CRT and .KEY pointing the correct certificates located in /etc/ssl/certs directory”. That may well be, but the certificate and private key stored in those files seem to be invalid as far as any of the requesting clients is concerned.
It’s possible that it's not the certificate and private key themselves, but maybe the root CA certificates on the server or on the client. Try updating the CA certificates on your systems with something like this:
sudo apt --only-upgrade install ca-certificates ca-certificates-java