Re: Client Certificates on Tomcat 3.3.1
Ok, a step forward After some changes in my certificates, I have a client that successfully sends its certificates to the server. From the browser, it doesn't connect at all (no certificate pop ups, and no connection stablished) Explorer requests now raise the following exception in Tomcat: Thread-17, WRITE: SSL v3.0 Handshake, length = 2825 Thread-17, READ: SSL v3.0 Alert, length = 2 Thread-17, RECV SSLv3 ALERT: warning, no_certificate SSL -- handshake alert: no_certificate Thread-17, SEND SSL v3.0 ALERT: fatal, description = handshake_failure Thread-17, WRITE: SSL v3.0 Alert, length = 2 PoolTcpEndpoint: Handshake failed javax.net.ssl.SSLException: javax.net.ssl.SSLProtocolException: handshake alert: no_certificate at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at java.io.OutputStream.write(OutputStream.java:61) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) ... But my java client does the handshake correctly. I am using the same certificates in both cases, any idea about the problem with Explorer? The java client is working with BASIC authorization level. It still doesn't work with CLIENT-CERT. - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 6:02 PM Subject: RE: Client Certificates on Tomcat 3.3.1 1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU CONNECT TO THE SERVER? If not you have to include your client side certificate store into your $JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with -trustcacerts option I use. keytool -import -alias drkw_root -file InvestmentBankCA_root.pem -trustcacerts -keystore cacerts -v Tell me if you see the certificates already pop up when you connect to the website, then I will try to find if anything else is going wrong. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have
RE: Client Certificates on Tomcat 3.3.1
okay, I have faced so many problems on this.. and finally could do it! Please answer the following questions. First question: The certificates that you are using on your machine (as client), where do you get them from? Second: When you connect the server (https://localhost:8443) or whatever), does your certificate pops up? cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 11:42 To: [EMAIL PROTECTED] Subject: Client Certificates on Tomcat 3.3.1 Hi all, I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap client. My soap service simply prints out some request data, and also the content of request.getAttribute(javax.servlet.request.X509Certificate) Following some example code I found on Internet (I'm not sure this code should function) I have followed the instructions in the xml.apache.org FAQ, and generated all certificates with keytool. Firstly, I configured tomcat with clientAuth set to false, and used a basic authentication scheme in my web-app. It worked fine. When connecting through my client, the service prints the next info: Authorization: BASIC Remote User: tomcat Secured: true Principal: tomcat No client certificate is available If I set clientAuth to true, it still works, but it keeps showing the No client certificate available message. The big problem comes when I configure my web-app to use CLIENT-CERT authorization scheme. It simply returns a 401 error code. Any one can help me, please?? Thanks in advance, Rodrigo Ruiz Aguayo PS: Following is the bat file I'm using to generate the keystores: del server.keystore del client.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore REM Change default passwords keytool -storepasswd -keystore server.keystore -storepass changeit -new 123456 keytool -storepasswd -keystore client.keystore -storepass changeit -new 123456 REM Create server.keystore keytool -genkey -alias tomcat-sv -dname CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore keytool -export -alias tomcat-sv -storepass 123456 -file server.cer -keystore server.keystore REM Import server certificate as a trusted CA in the client keystore keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass 123456 -storepass 123456 REM Create client keystore keytool -genkey -alias rruiz -dname CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore client.keystore keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore client.keystore keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore server.keystore -keypass 123456 -storepass 123456 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Client Certificates on Tomcat 3.3.1
- Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 3:22 PM Subject: RE: Client Certificates on Tomcat 3.3.1 okay, I have faced so many problems on this.. and finally could do it! Please answer the following questions. First question: The certificates that you are using on your machine (as client), where do you get them from? I create them with KeyMan from IBM. I have tried to create a X509 Chain, signed with my server key, and also a .PFX file with the same characteristics. None seemed to work. In fact, when I import the certificates into Explorer, it places them into the Medium CA Providers Tab, and not in the Personal repository. Is it ok? Second: When you connect the server (https://localhost:8443) or whatever), does your certificate pops up? The browser only pops up the server certificate, not the client one. It looks like it does not send my client certificate at all. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 11:42 To: [EMAIL PROTECTED] Subject: Client Certificates on Tomcat 3.3.1 Hi all, I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap client. My soap service simply prints out some request data, and also the content of request.getAttribute(javax.servlet.request.X509Certificate) Following some example code I found on Internet (I'm not sure this code should function) I have followed the instructions in the xml.apache.org FAQ, and generated all certificates with keytool. Firstly, I configured tomcat with clientAuth set to false, and used a basic authentication scheme in my web-app. It worked fine. When connecting through my client, the service prints the next info: Authorization: BASIC Remote User: tomcat Secured: true Principal: tomcat No client certificate is available If I set clientAuth to true, it still works, but it keeps showing the No client certificate available message. The big problem comes when I configure my web-app to use CLIENT-CERT authorization scheme. It simply returns a 401 error code. Any one can help me, please?? Thanks in advance, Rodrigo Ruiz Aguayo PS: Following is the bat file I'm using to generate the keystores: del server.keystore del client.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore REM Change default passwords keytool -storepasswd -keystore server.keystore -storepass changeit -new 123456 keytool -storepasswd -keystore client.keystore -storepass changeit -new 123456 REM Create server.keystore keytool -genkey -alias tomcat-sv -dname CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore keytool -export -alias tomcat-sv -storepass 123456 -file server.cer -keystore server.keystore REM Import server certificate as a trusted CA in the client keystore keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass 123456 -storepass 123456 REM Create client keystore keytool -genkey -alias rruiz -dname CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore client.keystore keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore client.keystore keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore server.keystore -keypass 123456 -storepass 123456 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Client Certificates on Tomcat 3.3.1
ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 16:59 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 3:22 PM Subject: RE: Client Certificates on Tomcat 3.3.1 okay, I have faced so many problems on this.. and finally could do it! Please answer the following questions. First question: The certificates that you are using on your machine (as client), where do you get them from? I create them with KeyMan from IBM. I have tried to create a X509 Chain, signed with my server key, and also a .PFX file with the same characteristics. None seemed to work. In fact, when I import the certificates into Explorer, it places them into the Medium CA Providers Tab, and not in the Personal repository. Is it ok? Second: When you connect the server (https://localhost:8443) or whatever), does your certificate pops up? The browser only pops up the server certificate, not the client one. It looks like it does not send my client certificate at all. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 11:42 To: [EMAIL PROTECTED] Subject: Client Certificates on Tomcat 3.3.1 Hi all, I'm trying to setup a secure connection between Tomcat 3.3.1 and a java soap client. My soap service simply prints out some request data, and also the content of request.getAttribute(javax.servlet.request.X509Certificate) Following some example code I found on Internet (I'm not sure this code should function) I have followed the instructions in the xml.apache.org FAQ, and generated all certificates with keytool. Firstly, I configured tomcat with clientAuth set to false, and used a basic authentication scheme in my web-app. It worked fine. When connecting through my client, the service prints the next info: Authorization: BASIC Remote User: tomcat Secured: true Principal: tomcat No client certificate is available If I set clientAuth to true, it still works, but it keeps showing the No client certificate available message. The big problem comes when I configure my web-app to use CLIENT-CERT authorization scheme. It simply returns a 401 error code. Any one can help me, please?? Thanks in advance, Rodrigo Ruiz Aguayo PS: Following is the bat file I'm using to generate the keystores: del server.keystore del client.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\server.keystore copy %JAVA_HOME%\jre\lib\security\cacerts .\client.keystore REM Change default passwords keytool -storepasswd -keystore server.keystore -storepass changeit -new 123456 keytool -storepasswd -keystore client.keystore -storepass changeit -new 123456 REM Create server.keystore keytool -genkey -alias tomcat-sv -dname CN=neyade,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore server.keystore keytool -export -alias tomcat-sv -storepass 123456 -file server.cer -keystore server.keystore REM Import server certificate as a trusted CA in the client keystore keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore client.keystore -keypass 123456 -storepass 123456 REM Create client keystore keytool -genkey -alias rruiz -dname CN=rruiz,OU=InnerGrid,O=GridSystems,L=Palma,S=Baleares,C=ES -keyalg RSA -keypass 123456 -storepass 123456 -keystore client.keystore keytool -export -alias rruiz -storepass 123456 -file rruiz.cer -keystore client.keystore keytool -import -v -trustcacerts -alias tomcat -file rruiz.cer -keystore server.keystore -keypass 123456 -storepass 123456 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement
Re: Client Certificates on Tomcat 3.3.1
Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Client Certificates on Tomcat 3.3.1
1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU CONNECT TO THE SERVER? If not you have to include your client side certificate store into your $JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with -trustcacerts option I use. keytool -import -alias drkw_root -file InvestmentBankCA_root.pem -trustcacerts -keystore cacerts -v Tell me if you see the certificates already pop up when you connect to the website, then I will try to find if anything else is going wrong. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Client Certificates on Tomcat 3.3.1
Also regarding PEM file, I get it from the authority who generates the my certificates (for the whole of my organization). So I don't generate PEM files. Please look in google how to get them yourself. cheers Tathagat -Original Message- From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 20, 2002 17:54 To: Tomcat Users List Subject: Re: Client Certificates on Tomcat 3.3.1 Tathagat, at this moment I am generating my own self-signed server and client certificates :-P I have no .pem files, as I don't rely on any third provider. The keystore I am using in my server has the following entries: thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry, thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry, verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry, thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry, thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry, verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry, verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry, verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry, thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry, verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry, tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry, The last entry is my own server certificate. From this point, using the KeyMan tool, I do this: 1. Create an empty keystore 2. Import the server certificate as a CA certificate into this new keystore 3. Create a new key pair 4. Create a .csr file 5. From the server keystore, create a certificate for this .csr (it creates a .cer file with a X509 certificate chain) 6. Create a PKCS #12 token 7. Import the .cer created at point 5 8. Save the token (as a .pfx file) Once I have this file, I import the server certificate in the trusted CA provider store (I can do this directly from the pop-up window that shows the browser on server connection). Finally, I import the .pfx file into Explorer. Is it enough importing the server certificate, or do I have to generate a .pem file for my server certificate? If so, which tool should I have to use? Now it seems to connect to the server, but it still receives an HTTP 401 error message. My web-app has activated the CLIENT-CERT authentication scheme. If I relax this to BASIC, all seems to work fine. The browser shows the user/password dialog box, and I am in :-) Could it be a problem related to the realm? How do you specified the list of valid users? In CLIENT-CERT mode, you don't have user/password info. Thanks a lot! - Original Message - From: Tathagat (London) [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Tuesday, August 20, 2002 5:14 PM Subject: RE: Client Certificates on Tomcat 3.3.1 ok, what you have to do is put the certificate provider into your java's security file. keytool -import blah blah (options) what you have to import are .PEM files which you get from the certificate providers. Then IE will popup your certificates. Please read keytool documentation on sun site and most things will be clear of my mail. cheers Tathagat -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]