Also regarding PEM file, I get it from the authority who generates the my certificates (for the whole of my organization). So I don't generate PEM files. Please look in google how to get them yourself.
cheers Tathagat -----Original Message----- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. >From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! ----- Original Message ----- From: "Tathagat (London)" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 > ok, > what you have to do is put the certificate provider into your java's > security file. > > keytool -import blah blah (options) > > what you have to import are ".PEM" files which you get from the certificate > providers. Then IE will popup your certificates. Please read keytool > documentation on sun site and most things will be clear of my mail. > > cheers > Tathagat > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>