I repost this because it didn't show up on the list but a subsequent posting already did:
> The client browser scans his (previously imported) client certs > for a matching cert isssuer/signer and sends (?) this to the server. This part should read: The client browser scans his (previously imported) client certs for a matching cert issuer/signer, fills / pops up a choice dialog box to select a client cert from, and sends (?) the users selection back to the server. This choice box was usually empty in MS IE. Read my previous posting "Any success with Tomcat 4.0.2 and client certificates in MS IE ?" Wolfgang Stein wrote: > > As far as i understand the client-auth handshake, > the server sends a list of trusted CAs to the client. > > This list is take from > <JAVA_HOME_set_in_your_tomcat>\lib\security\cacerts > So you have to import your CA-cert into that file, > instead of your .keystore . > There is no need to import the client cert into cacerts or keystore. > > The client browser scans his (previously imported) client certs > for a matching cert isssuer/signer and sends (?) this to the server. > > You will face a difference in comparism of the ca certs between > nestcape / MS IE. > > Gruß, > Wolfgang > > > > -----Ursprüngliche Nachricht----- > > Von: Brian Palmer [mailto:[EMAIL PROTECTED]] > > Gesendet: Dienstag, 26. Februar 2002 11:58 > > An: [EMAIL PROTECTED] > > Betreff: SSL Client authentication with standalone Tomcat > > > > > > I'm trying to set up for a simple project client-authentication and CA > > abilities, using standalone tomcat and openssl. I'm not having > > luck. The short version is, when I enable clientAuth, I am unable to > > connect to the server, getting various messages (in Mozilla 0.9.8, I > > get no error messages but the page will not load, using openssl > > s_client I get a write error). > > > > Forgive me in advance for this long message, but my hope is that by > > explicitly stating what I'm doing, it will be easy for someone more > > experienced to see where I'm going wrong. I've spent much of the last > > 2 days searching online for information and trying different > > approaches; most of the problems/solutions don't give a lot of details > > > > I've done the following: > > > > Step 1: Generate the tomcat request for certificate > > keytool -genkey -alias tomcat -keyalg RSA > > > > keytool -certreq -alias tomcat -file my.csr > > > > Step 2: Generate the ca certificate > > openssl req -new -newkey rsa:512 -nodes -out ca.req \ > > -keyout ca.key > > > > openssl x509 -trustout -signkey ca.key -days 365 \ > > -req -in ca.req -out ca.crt > > > > Step 3: Sign the tomcat request to generate tomcat certificate > > openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ > > -out my.crt -req -CAcreateserial > > > > Step 4: Import both into my keystore > > keytool -import -file ca.crt -alias RootCert > > > > keytool -import -file my.crt -alias tomcat > > > > I can then stop and restart tomcat, and non-client-authenticated https > > works. I then go on to > > > > Step 5: Generate a client certificate > > openssl req -new -newkey rsa:512 -nodes \ > > -out client.req -keyout client.key > > > > openssl x509 -CA ca.crt -CAkey ca.key \ > > -req -in client.req \ > > -out client.crt > > > > I then enable clientAuth="true", and try to connect to tomcat using > > the openssl s_client: > > openssl s_client -cert client.crt -key client.key \ > > -connect localhost:8443 > > and get the following output: > > CONNECTED(00000003) > > depth=1 /C=US/ST=California/L=Stanford/O=Stanford > > University/OU=CSD/CN=UStorit [EMAIL PROTECTED] > > verify error:num=19:self signed certificate in certificate chain > > verify return:0 > > write:errno=104 > > > > Any ideas? Or ideas on how to debug this? (I'm coming up against a > > deadline, so any hints much appreciated) > > > > -- > > Brian Palmer > > "Whoever fights monsters should see to it that in the process he does > > not become a monster. And when you look long into an abyss, the abyss > > also looks into you" - Nietzsche > > > > > > -- > > To unsubscribe: <mailto:[EMAIL PROTECTED]> > > For additional commands: <mailto:[EMAIL PROTECTED]> > > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
