I think by installing the .cer file, you installed the "public" part of the client certificate. A .cer file is supposed to contain the publicly distributable portion of the client certificate.
The browsers need the "private" part. That's why it's called a "client certificate". You import the .cer file into your Java JKS keystore on the server, and that lets the server know it can trust the client. You also have to set up a user account matching the certificate in tomcat-users.xml for the server portion to function. And there is a web.xml part too. You'll need to import a .p12 file that is generated as part of the whole process into the browsers. If you don't have a .p12 file handy, you need to figure out how to get one from somewhere. You double click on a .p12 file to import it into Window's keystore. FireFox also allows you to directly import a .p12 file. -----Original Message----- From: Jorge Medina [mailto:jmed...@e-dialog.com] Sent: Monday, April 20, 2009 9:49 AM To: Tomcat Users List Subject: RE: Tomcat 5.5 Trust Stores and Client Authentication I have not used client certificates, but in order to use SSL with self-generated certificates you need to add your server self-signed certificate to the trusted roots of your Windows account or computer account. Use the "Certificates" plug-in on an MMC console to perform the operation. The operation above guarantees that IE can verify the identity of your server. When using client-certificates, you need to guarantee the opposite too: your server needs to be able to verify the identity of the client. After installing the client certificate on IE, you also need to install the client-certificate -or the CA root of the client certificate- into the store used by Tomcat. I would assume that Tomcat uses the JVM trust store, so you would need to specify: CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks -Djavax.net.ssl.trustStorePassword=your_password" But the documentation indicates to use the attributes: truststoreFile="C:/cacerts.jks" truststorePass="changeit" truststoreType="JKS" ...that you already have tried. So, try setting the variables above. -Jorge -----Original Message----- From: Ron Perkins [mailto:ronperkins...@googlemail.com] Sent: Monday, April 20, 2009 4:14 AM To: users@tomcat.apache.org Subject: Tomcat 5.5 Trust Stores and Client Authentication Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: <Connector port="443" scheme="https" secure="true" keystoreFile="C:/keystore.jks" keystorePass="changeit" keystoreType="JKS" keyAlias="mykey" truststoreFile="C:/cacerts.jks" truststorePass="changeit" truststoreType="JKS" sslProtocol="TLS" maxSpareThreads="75" maxThreads="350" uRIEncoding="UTF-8" minSpareThreads="25" clientAuth="true"> </Connector> After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth="true" to clientAuth="false" then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org