I have not used client certificates, but in order to use SSL with self-generated certificates you need to add your server self-signed certificate to the trusted roots of your Windows account or computer account. Use the "Certificates" plug-in on an MMC console to perform the operation.
The operation above guarantees that IE can verify the identity of your server. When using client-certificates, you need to guarantee the opposite too: your server needs to be able to verify the identity of the client. After installing the client certificate on IE, you also need to install the client-certificate -or the CA root of the client certificate- into the store used by Tomcat. I would assume that Tomcat uses the JVM trust store, so you would need to specify: CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks -Djavax.net.ssl.trustStorePassword=your_password" But the documentation indicates to use the attributes: truststoreFile="C:/cacerts.jks" truststorePass="changeit" truststoreType="JKS" ...that you already have tried. So, try setting the variables above. -Jorge -----Original Message----- From: Ron Perkins [mailto:ronperkins...@googlemail.com] Sent: Monday, April 20, 2009 4:14 AM To: users@tomcat.apache.org Subject: Tomcat 5.5 Trust Stores and Client Authentication Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: <Connector port="443" scheme="https" secure="true" keystoreFile="C:/keystore.jks" keystorePass="changeit" keystoreType="JKS" keyAlias="mykey" truststoreFile="C:/cacerts.jks" truststorePass="changeit" truststoreType="JKS" sslProtocol="TLS" maxSpareThreads="75" maxThreads="350" uRIEncoding="UTF-8" minSpareThreads="25" clientAuth="true"> </Connector> After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth="true" to clientAuth="false" then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org