Can you let me know if this is correct: 1. Generate server keystore: a. keytool -genkey -alias <server alias> -keystore <server keystore> -keyalg RSA b. Enter server information as prompted 2. Generate client keystore a. keytool -genkey -alias <client alias> -keystore <client keystore> -keyalg RSA b. Enter server information as prompted 3. Export server certificate: a. keytool -export -alias <server alias> -keystore <server keystore> -file <server file> 4. Export client certificate: a. keytool -export -alias <client alias> -keystore <client keystore> -file <client file> 5. Import server certificate into client: a. keytool -import -alias <server alias> -keystore <client keystore> -file <file - from point 3a> 6. Import client certificate into server: a. keytool -import -alias <client alias> -keystore <server keystore> -file <file - from point 4a>
After going through the above motions, it occurred to me that I had not issued any commands with -selfcert. So I went through that process as well, then re-exported and re-imported the certificates into the relevant keystores (restarting tomcat to ensure the latest certificates are been used), still with no success (same stack trace as my last posting). When I review the certificate, there does not seem to be an extra root certificate other than the one that I generated to start with. I feel that I am missing some fundamental step or set up. Regards, Andrew Friebel -----Original Message----- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 November 2006 12:34 PM To: Tomcat Users List Subject: Re: Accessing ssl pages using client authentication Andrew Friebel wrote: > Mark, > Thanks for your input. I have got normal SSL working, and that > works like a charm (using both IE - doGet, and via a servlet - doPost). Great. > My certificates are self signed, to answer your questions: > o I do not believe this is an issue with self signed certificates > - as the issuer of the server certificate is created when the keystore > is created. I am not sure about this. When I last set this up I had a self-signed root certificate authority (actually root CAs have to be self signed) with its own keystore that I then used to sign both the server and the client certs. Might be worth giving this a go, again getting basic SSL up and running first. Mark