I am using Tomcat 4.1.x, which does not support OpenSSL key formats. So again, there may be some difference due to that.
The Java JSSE documentation distinguishes between KeyStores and TrustStores. The KeyStore contains your private key and your certificate /public key. The TrustStore contains trusted root certificates. If a certificate that is submitted to your server is chained to one of the certificates in your TrustStore, it will be accepted. The TrustStore and KeyStore may be in one physical file (keystore file).
From your e-mail you do not state that Apache is brokering your Tomcat requests. If it then this answer will not apply, because Apache will be handling your SSL connection, not Tomcat.
During the SSL handshake Tomcat will send your certificate/public key to the client. If the browser client does not trust your certificate (by tracing its chain back to a trusted root) it will typically pop up a window asking you whether it should be accepted or not.
If "client authentication" is turned on, a request for the client certificate is attached to the transmission of your certificate/public key. The browser should then transmit the client certificate/client public key. When Tomcat receives it, it looks in the TrustStore (same file as its KeyStore) to see if the certificate is chained to a trusted certificate.
It seems that your error message is stating that Tomcat is not finding the trusted root in its keystore file. Since your e-mail doesn't state that you imported the client certificate into your Tomcat keystore file, this is the likely cause.
To fix it, import your client certificate into your Tomcat TrustStore (keystore file).
Note that the J2SDK is shipped with a keystore file that contains all of the major CA roots. ($java_home/lib/security/cacerts)
For production, you may need to merge your keys and certificates with the ones in this file.
Also note that the Verisign certificates in many the early 1.4.x JREs have expired. Download the latest cacerts file for production.
Hope this helped.
Regards, Bob Feretich
Subject: Rejected client certificate by the server From: Carlos Bracho <[EMAIL PROTECTED]> Date: Wed, 26 Jan 2005 14:49:24 -0400 To: tomcat-user@jakarta.apache.org
Hello everyone.
I writing you because a I have a big problem using ssl and client authenticate. I created a connector for the client connections:
<Connector port="9443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
keystoreFile="C:/WINDOWS/security/server.ks"
keystorePass="*********"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL" />
As it is for educational proposes, I created my own self-signed CA using openssl and generate a certificate request for the web server and then I signed with the self-signed CA. Then I created a client certificate and I signed with the self-signed CA, I import the self-signed CA in firefox as a certificate authority and the client certificate as a client certificate, but when I try to establish a connection I got this error message: "Could not establish an encrypted connection because your certificate was rejected by agatha. Error Code -12271" (agatha is the apache server). I got a openssl manual and I saw I followed the right steps to create the CA and the client certificate, I also read that the common name of the client must match an entry in tomcat-users.xml, I created an entry with this common name and the error message still appears. When I use Internet Explorer I get a error page with this title: The page cannot be displayed
I opened the stdout.log file and there is a exception repeated 5 times:
NotifyUtil::java.net.ConnectException: Connection refused: connect at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(Unknown Source) at java.net.PlainSocketImpl.connectToAddress(Unknown Source) at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at sun.net.NetworkClient.doConnect(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.openServer(Unknown Source) at sun.net.www.http.HttpClient.<init>(Unknown Source) at sun.net.www.http.HttpClient.<init>(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.http.HttpClient.New(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at org.netbeans.modules.web.monitor.server.NotifyUtil$RecordSender.run(NotifyUtil.java:237)
:'(
What is happening??? is there something wrong??
-- ------------------------------------------------------------------ Carlos J, Bracho M. ------------------------------------------------------------------ e-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] +58 416 409 21 75 ------------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]