I have not used client certificates, but in order to use SSL with
self-generated certificates you need to add your server self-signed
certificate to the trusted roots of your Windows account or computer
account. Use the "Certificates" plug-in on an MMC console to perform the
operation.
The operation above guarantees that IE can verify the identity of your
server.
When using client-certificates, you need to guarantee the opposite too:
your server needs to be able to verify the identity of the client.
After installing the client certificate on IE, you also need to install
the client-certificate -or the CA root of the client certificate- into
the store used by Tomcat. I would assume that Tomcat uses the JVM trust
store, so you would need to specify:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks
-Djavax.net.ssl.trustStorePassword=your_password"
But the documentation indicates to use the attributes:
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
...that you already have tried.
So, try setting the variables above.
-Jorge
-----Original Message-----
From: Ron Perkins [mailto:[email protected]]
Sent: Monday, April 20, 2009 4:14 AM
To: [email protected]
Subject: Tomcat 5.5 Trust Stores and Client Authentication
Hi All,
I have done the following to create a Trust Store for Tomcat to use:
Created a keystore with new certificate:
keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore
keystore.jks -storepass changeit
Exported certificate:
keytool -export -alias mycert -file mycert.cer -keystore keystore.jks
-storepass changeit
Imported certificate into trust store:
keytool -import -v -trustcacerts alias mycert -keypass changeit -file
mycert.cer -keystore cacerts.jks -storepass changeit
Added the following Connector into server.xml to allow Client
Authentication:
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="C:/keystore.jks"
keystorePass="changeit"
keystoreType="JKS"
keyAlias="mykey"
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="350"
uRIEncoding="UTF-8"
minSpareThreads="25"
clientAuth="true">
</Connector>
After starting Tomcat up, using netstat I can see that port 443 is
listening...
When using IE to test the connection to the https default page I get
IE's no communication web page displayed. If I use Firefox this gives me
the following error: SSL peer cannot verify your certificate (Error
code: ssl_error_bad_cert_alert)
I was expecting a message to say that the client needs a client
certificate? I then installed the client certificate mycert.cer into the
client browsers, but has no effect and I still recevie the same error
messages.
To check that I have SSL correctly installed, if I change
clientAuth="true" to clientAuth="false" then default Tomcatwebpage is
displayed within the browsers.
What have I done wrong? I am thinking that it is the way that I have
created the Trust store that is the problem?
Thanks for any help in advance...
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
