R: clent authentication using a smard card
> -Messaggio originale- > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > Inviato: martedì 20 ottobre 2009 13.03 > A: 'Tomcat Users List' > Oggetto: RE: clent authentication using a smard card > > > -Original Message- > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > > > > > > Ok. > > > > I made the same thing with IE and in the debug it says "null cert > > > > chain" > > > > during the client authentication handshake. > > > > Now I am confused... > > > > > > > > > > Lets step back and look. > > > > > > Can you provide the smart card and server certificate chain > > (no keys > > > please)? > > > > Hang on a second... > > The server certificate is an self signed certificate I made > > with keytool. > > The smart card certificate, instead, is a real one, I use to > > legally sign electronic documents; the issuer is an Italian CA. > > > > Do you expect the issuer of the smart card certificate to be > > the same as the server one? > > Not always. > > Lets take for example: > > > https://mail.pdinc.us <-PD Inc Public CA<-PD Inc Root CA > > and > > MySmartCard <- DOD EMAIL CA-15 <- DoD Root CA-2 > > The smime cert used on this email > > I can use my smart card to auth againstthe server. But the server must > know > about DoD Root CA-2. > Ok. In my case: https://localhost <- self signed certificate and Mysmartcard <- my certificate <- infocamere root CA And in my trusted certificates keystore there is infocamere root CA. Please find in attachment a signed text file you can read my cert info from. Thanks Marcello myfile.txt.p7m Description: S/MIME encrypted message - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
> -Messaggio originale- > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > Inviato: martedì 20 ottobre 2009 12.13 > A: 'Tomcat Users List' > Oggetto: RE: clent authentication using a smard card > > > > > > -Original Message- > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > Sent: Tuesday, October 20, 2009 5:10 > > To: 'Tomcat Users List' > > Subject: R: clent authentication using a smard card > > > > > > > > > -Messaggio originale- > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > Inviato: lunedì 19 ottobre 2009 20.21 > > > A: 'Tomcat Users List' > > > Oggetto: RE: clent authentication using a smard card > > > > > > > > > > > > > > > > > > > Do you have access to IE on windows for this? If you do, it will be > > > much quicker, and easier. > > > > > > I am just trying to get a baseline established, so I can > > plow throught > > > with my ten steps. > > > > > > > Ok. > > I made the same thing with IE and in the debug it says "null > > cert chain" > > during the client authentication handshake. > > Now I am confused... > > > > Lets step back and look. > > Can you provide the smart card and server certificate chain (no keys > please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? How can I print out the certificate chain? Thanks again M > > > M > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > - - > - Jason Pyeron PD Inc. http://www.pdinc.us - > - Principal Consultant 10 West 24th Street #100- > - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - > - - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > This message is copyright PD Inc, subject to license 20080407P00. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
> -Messaggio originale- > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > Inviato: lunedì 19 ottobre 2009 20.21 > A: 'Tomcat Users List' > Oggetto: RE: clent authentication using a smard card > > > > > > > Do you have access to IE on windows for this? If you do, it will be much > quicker, and easier. > > I am just trying to get a baseline established, so I can plow throught > with my > ten steps. > Ok. I made the same thing with IE and in the debug it says "null cert chain" during the client authentication handshake. Now I am confused... M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
Hi Jason, tank for your answer. > > > > Hi all > > > > This is my very first message in the list. > > > > I am trying to use the ssl and client authentication feature > > in tomcat 6, using a pkcs11 compliant smart card reader and a > > real authentication smart card (Italian CNS). > > > > In the browser (firefox) I obtain a > > First, make sure your browser knows about the certificate and smart card > reader. > We have been having with recent firefox releases on this. The debuging > steps I > would take are 1) Use Windows / IE, if the server requires or requests a > client > cert it will pop up a selection window even if IE does not know how to > fulfil > the request. Thi will indicate if Tomcat is or is not requesting client > certs. > 2) Verify IE know about the smart card cert, user the certmgr.msc to see > if the > smartcard certificate is installed, as well as the trust chain. > 3) Verify IE prompts for the smartcard cert in the client cert popup > selection > dialog. > 4) Verify Tomcat <-> IE talk over SSL. > > > > It seems that firefox behaves: if the smartcard is in firefox asks the PIN of the smartcard. I am pretty sure it can read my smartcard, because I can use mod_ssl with Apache 2.2 and I can read the certificate's information with a perl routine. Furthermore, from the debug logs it is clear that there is an ssl handshaking going on. Any clue? Thanks M [CUT ] > > > > Is tomcat's behavoir correct or is it a bug? > > > > The above steps will allow a more quickly diagnosis. > > > > > > > Thanks a million > > > > Marcello > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
