Hi Peter,
Thanks for your reply. We can all use a day off now and then :-) In the meantime I have cracked the nut...! Yes, really!! Last night I succeeded in sending a self-generated certificate from IE to Tomcat that was verified and accepted and let me in on the site. I still have to sort out the exact chain of events that led to this discovery, and will mail them to you and the list once I've got them in correct order. Here are some hints though: In retrospect, I did make some mistakes along the way, such as installing my private self-issued certificate in the IE keystore WITHOUT the private key. In other words, I installed the certificate by converting it into DER format, and then importing it into IE. Wrong! What you MUST do is to combine both the certificate AND the private key into a PKCS#12 format (using "openssl pkcs12"), and then install that in IE. Once I did that it worked. This was apparently the reason for the SSL handshake failure that we both have seen. You should verify if this solves your problem too. NB. To install other peoples certificates, as well as CA and server certificates, one should still only install the certificate in DER format, WITHOUT the key. Particularly for your own CA certificate ;-) However other things I did prior to that may have attributed to the process too, this is what I need to sort out. One thing I found was that IE does not like keys longer than 1024 bits. I experimented with 512 bit keys right before I succeeded, so that may have left some files in a different order. Of other noteworthy observations: you MUST use your own CA certificate to sign EVERYTHING (server + clients), AND the CA certificate should be installed in the Tomcat JKS keystore (used for client cert validation), AND the CA cert should also be in the trusted CA's file under JRE (used for client cert selection in IE). A tricky part is to create a "keyEntry" certificate in the JKS keystore for Tomcat; if you just create your own key + cert and install that in the keystore using keytool, it will show up as a "trustedCertEntry", because the private key is not imported. So, you actually start out by creating the JKS certificate following the guidelines for keytool, then you create a CERTREQ using keytool, and then you sign that request using your own CA cert. Finally you import the signed cert back into the keystore (this is the only time keytool allows you to import a certificate which already exists in the keystore!), and voila! you have a self-CA-signed cert for Tomcat. (If you know of ways to import a private key for en existing certificate in a JKS please let me know.) Hope these intial comments helps. Otherwise stay tuned for the HOW-TO :-) Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] "Peter Werno" To: "Henrik Schultz" <[EMAIL PROTECTED]> <[EMAIL PROTECTED] cc: m> Subject: Re: Tomcat 4 - OpenSSL - IE client certificate works partially 02-07-2002 20:30 Hello Henrik, sorry for not getting back to you, I had a day off :-) I will try to change the Server-Certificate to a "real" (ca-issued) certificate tomorrow and let you know if it works. I have previously used Apache as the webserver and mod_webapp to publish my Web-Applications through to the user. This has always worked fine, however, I have never tried with anything else than a "real" cert in this configuration. If you would like to try Apache, I can recommend the mod_ssl - documentation, it is very detailed on how to set up Apache for SSL. Regards, Peter -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>