The problem with homemade digital certificates generated with the Keytool is that they are self signed, then IExplorer and other browsers does not trust them and does not let you use it for user authentication. However if you make your own CA using openssl and you generates server and client certificates you will see that it works. You have only to add your new CA on the trusted group for IExplorer (similar with other browsers).
When you make a connection to a secure server, it returns data about in which CAs it will accepct (which CA, means which client digital certificates signed with the given CAs) You can also use Thawte test certificates (client & server) but it is the same if you use openssl as I describe above. Please, send me your howto and I will take a look :) By the way If you use Apache as frontend your setup will work better and faster and you will be able to make load balance ;) Henrik Schultz wrote: >Greetings all... > >For those not interested in client certificates at the deep technical >level, this is probably not your favorite cup of tea. Otherwise read on. > >Enabling SSL in Tomcat is really no sweat using your own home-made >certificates, thanks to the excellent HOW-TO. Once you get your root CA >certificate installed in the right places, and a suitable certificate >installed in Tomcat, everything works just fine. > >However, creating client certificates that works with IE has (at least for >me) shown to be a real pain. I've experimented for months, and tried >numerous postings on this list, but noone seemed to know the finer details. >It was only recently I had a breakthrough, in that a trial certificate from >Verisign allowed me to compare that and a home-made one, and find the bits >that makes the difference, that is, what it takes for it to be shown on the >selection list in IE when the server asks for a client certificate. >Last night I succeeded. The right combination of keytool and openssl >maneuvres to setup a private CA, finally generated a certificate that >installed without a hitch in IE, and came up when I subsequently connected >to my SSL enabled Tomcat. So far so good. > >However there is still one major obstacle ... the server aborts the >connection right away :-(((( > >IE tells me: > >"The page cannot be displayed >The page you are looking for is currently unavailable. >The Web site might be experiencing technical difficulties, >or you may need to adjust your browser settings." > >In other words, the usual message that indicates that the server screwed >up, and closed the connection. > >Interestingly enough the Verisign certificate works just fine. So there is >apparently still a difference to Tomcat. >Have tried to connect using openssl s_client - works A-OK, also with my >home-made certificate. >Have looked in the tomcat logs to no avail. There is no trace anywhere why >the connection breaks. > >So the question to the list is: how would I go by diagnosing this? I >believe that the problem must be related to the SSL container (?) that >responds to the traffic on port 443, and does all the SSL handshaking, >because my application never sees anything. >Just like in Apache there's an error log for all the pages that fail - >isn't there such a log in Tomcat? > >Thanks for any input or advice you might have! > >PS. If anyone is interested in a writeup or HOW-TO of making client >certificates for Tomcat, let me know. This is certainly tricky stuff! > >Henrik Schultz >Senior Systems Architect >Consultant to Maersk Data AS >Tel.: +45 39 10 21 13 >Mobile: +45 22 12 24 29 >E-mail: [EMAIL PROTECTED] > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
