1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU CONNECT TO THE SERVER?
If not you have to include your client side certificate store into your $JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with -trustcacerts option I use. keytool -import -alias drkw_root -file InvestmentBankCA_root.pem -trustcacerts -keystore cacerts -v Tell me if you see the certificates already pop up when you connect to the website, then I will try to find if anything else is going wrong. cheers Tathagat -----Original Message----- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. >From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! ----- Original Message ----- From: "Tathagat (London)" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 > ok, > what you have to do is put the certificate provider into your java's > security file. > > keytool -import blah blah (options) > > what you have to import are ".PEM" files which you get from the certificate > providers. Then IE will popup your certificates. Please read keytool > documentation on sun site and most things will be clear of my mail. > > cheers > Tathagat > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
