SSL Client Authorization
I'm writing an application with SSL that's been working fine, and would like to enable client authorization. It seemed like the thing to do was go to my connector (org.apache.coyote.tomcat5.CoyoteConnector) and enable it there. Lo and behold there is a method (setClientAuth) that seems to do what I want, but for some strange reason it takes a string as an argument instead of a boolean. What am I missing here?? How do I enable this? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client Authorization
Sander, If what you want is to have the client present a certificate for validation, then in your connector have something like clientAuth=true See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html If you are looking for something different let us know. Doug www.parsonstechnical.com - Original Message - From: Sander Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 6:29 AM Subject: SSL Client Authorization I'm writing an application with SSL that's been working fine, and would like to enable client authorization. It seemed like the thing to do was go to my connector (org.apache.coyote.tomcat5.CoyoteConnector) and enable it there. Lo and behold there is a method (setClientAuth) that seems to do what I want, but for some strange reason it takes a string as an argument instead of a boolean. What am I missing here?? How do I enable this? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client Authorization
Doug, Thanks for your help but this isn't what I need. Yes, I want the client to present a certificate for validation during the SSL handshake, but your solution is not available to me. You suggest putting something in a config file, but I'm running Tomcat embedded, so all of the configuration is happening programmatically. I have a org.apache.coyote.tomcat5.CoyoteConnector and I call setKeystoreFile(...), setKeyAlias(...), etc. to set up the server side SSL, and this is working great. When I want to request a client certificate I would expect to call setClientAuth(...) to do this. However, I'd expect to pass a boolean into this method, but instead, the interface requires a String!!! To make matters worse, there's no documentation to say what this string is. Does anyone know how to do this programmatically?? Sander Smith At 08:20 AM 6/1/2004 -0400, you wrote: Sander, If what you want is to have the client present a certificate for validation, then in your connector have something like clientAuth=true See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html If you are looking for something different let us know. Doug www.parsonstechnical.com - Original Message - From: Sander Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 6:29 AM Subject: SSL Client Authorization I'm writing an application with SSL that's been working fine, and would like to enable client authorization. It seemed like the thing to do was go to my connector (org.apache.coyote.tomcat5.CoyoteConnector) and enable it there. Lo and behold there is a method (setClientAuth) that seems to do what I want, but for some strange reason it takes a string as an argument instead of a boolean. What am I missing here?? How do I enable this? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client Authorization
According to this link http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html possible values are true, want, and (I presume) false. I use client authentication in (non-embedded) Tomcat, and true does indeed require client authentication. -Jim Sander Smith wrote: Doug, Thanks for your help but this isn't what I need. Yes, I want the client to present a certificate for validation during the SSL handshake, but your solution is not available to me. You suggest putting something in a config file, but I'm running Tomcat embedded, so all of the configuration is happening programmatically. I have a org.apache.coyote.tomcat5.CoyoteConnector and I call setKeystoreFile(...), setKeyAlias(...), etc. to set up the server side SSL, and this is working great. When I want to request a client certificate I would expect to call setClientAuth(...) to do this. However, I'd expect to pass a boolean into this method, but instead, the interface requires a String!!! To make matters worse, there's no documentation to say what this string is. Does anyone know how to do this programmatically?? Sander Smith At 08:20 AM 6/1/2004 -0400, you wrote: Sander, If what you want is to have the client present a certificate for validation, then in your connector have something like clientAuth=true See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html If you are looking for something different let us know. Doug www.parsonstechnical.com - Original Message - From: Sander Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 6:29 AM Subject: SSL Client Authorization I'm writing an application with SSL that's been working fine, and would like to enable client authorization. It seemed like the thing to do was go to my connector (org.apache.coyote.tomcat5.CoyoteConnector) and enable it there. Lo and behold there is a method (setClientAuth) that seems to do what I want, but for some strange reason it takes a string as an argument instead of a boolean. What am I missing here?? How do I enable this? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client Authorization
Sander, If what you want is to have the client present a certificate for validation, then in your connector have something like clientAuth=true See http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html If you are looking for something different let us know. Doug www.parsonstechnical.com - Original Message - From: Sander Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 01, 2004 6:29 AM Subject: SSL Client Authorization I'm writing an application with SSL that's been working fine, and would like to enable client authorization. It seemed like the thing to do was go to my connector (org.apache.coyote.tomcat5.CoyoteConnector) and enable it there. Lo and behold there is a method (setClientAuth) that seems to do what I want, but for some strange reason it takes a string as an argument instead of a boolean. What am I missing here?? How do I enable this? Sander Smith - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Client Authorization
Rich, Here are some instructions on using OpenSSL to set up your own CA. SETTING UP YOUR CA --- Step 1. Go to www.openssl.org and download the source code. Even Windows users need to build it, so you'll need access to a C compiler. You may be able to get hold of prebuilt binaries on the web and you can certainly get hold of the GNU C compiler or you can use Borland and Microsoft compilers. There are good build instructions included with the source distribution, so I won't go into build details. Step 2. Create directories to hold your CA keys, your server keys and, if you want to use SSL client authentication, your client keys. For the sake of argument let's assume that these directories are called ssl/ca, ssl/server and ssl/client. Step 3. Create a private key and certificate request for your own CA: openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout ssl/ca/ca.key Step 4. Create your CA's self-signed certificate (note lasts one year - increase the days setting to whatever you want): openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in ssl/ca/ca.csr -out ssl/ca/ca.pem WINDOWS USERS:If you copy the ca.pem file to ca.crt and edit the file so that the strings TRUSTED CERTIFICATE read CERTIFICATE, you can import your CA certificate into your trusted root certificates store. Step 5. Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore $JAVA_JOME/jre/lib/security/cacerts -file ssl/ca/ca.pem -alias my_ca Windows users need to replace $JAVA_HOME with %JAVA_HOME%. Step 6. Create a file to hold your CA's serial numbers. This file starts with the number 2: echo 02 ssl/ca/ca.srl SETTING UP YOUR WEB SERVER Step 7. Create a keystore for your web server. keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore ssl/server/server.ks -storetype JKS Step 8. Create a certificate request for your web server: keytool -certreq -keyalg RSA -alias tomcat -file ssl/server/server.csr -keystore ssl/server/server.ks Step 9. Have your CA sign your certificate request: openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial ssl/ca/ca.srl -req -in ssl/server/server.csr -out ssl/server/server.crt -days 365 Step 10. Import your signed server certificate into your server keystore: keytool -import -alias tomcat -keystore ssl/server/server.ks -trustcacerts -file ssl/server/server.crt You should see a message Certificate reply was installed in keystore. Step 11. Import your CA certificate into your server keystore: keytool -import -alias my_ca -keystore ssl/server/server.ks -trustcacerts -file ssl/ca/ca.pem This step is only necessary if you wish to use SSL client authentication with Tomcat. Step 12. Set up an SSL connector for Tomcat. I assume that you know, or can find out, how to do this. Open up conf/server.xml in a text editor and search for the text keystoreFile. Ensure that the attribute value is the keystore you've created above. SETTING UP AN SSL CLIENT --- Step 13. Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out ssl/client/client1.req -keyout ssl/client/client1.key Step 14. Have your CA sign your client certificate. openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial ssl/ca/ca.srl -req -in ssl/client/client1.req -out ssl/client/client1.pem -days 365 Step 15. Generate a PKCS12 file containing your client key and client certificate. openssl pkcs12 -export -clcerts -in ssl/client/client1.pem -inkey ssl/client/client1.key -out ssl/client/client1.p12 -name my_client_certificate Step 16. Import the PKCS12 file into your web browser to use as your client certificate and key. Repeat steps 13-16 as often as required. Step 17. Enable client certificate authentication in Tomcat. Open up conf/server.xml and search for the text clientAuth. Set the value of the attribute to true. I apologize in advance for any typing errors. Hopefully, it's all correct and you should all be able to get up to speed with OpenSSL. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Client Authorization
I'm looking for a good overview of how to achieve certificated based client authorization using Tomcat. I've configured SSL and have set the clientAuth=true. This seems to prohibit client access. I'm assuming this is because the client is not authorized. My question might be somewhat elementary: who creates client certificates, how are they created, and what needs to be done on the server to authorize a client in Tomcat, etc.? I'd appreciate any help! Thanks, Rich = = Rich Paterson [EMAIL PROTECTED] 214.405.5618 = __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
client authorization.
Is it possible to use client certificate authorization without a password and its associated dialog? Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: client authorization.
On Wed, 17 Jul 2002, Anthony Geoghegan wrote: Date: Wed, 17 Jul 2002 11:18:33 +0100 From: Anthony Geoghegan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: client authorization. Is it possible to use client certificate authorization without a password and its associated dialog? Tomcat 4.x can do this. See the docs for the version of Tomcat you are using: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: client authorization.
They only describe how to get a certificate on server side. I mean server can show a certificate to client, but it does not say how do the client sends a certificate to the server. I think we need to find this thing out., -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 16:59 To: Tomcat Users List Subject: Re: client authorization. On Wed, 17 Jul 2002, Anthony Geoghegan wrote: Date: Wed, 17 Jul 2002 11:18:33 +0100 From: Anthony Geoghegan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: client authorization. Is it possible to use client certificate authorization without a password and its associated dialog? Tomcat 4.x can do this. See the docs for the version of Tomcat you are using: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: client authorization.
On Wed, 17 Jul 2002, Tathagat (London) wrote: Date: Wed, 17 Jul 2002 16:03:30 +0100 From: Tathagat (London) [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: client authorization. They only describe how to get a certificate on server side. I mean server can show a certificate to client, but it does not say how do the client sends a certificate to the server. You need to import a *client* certificate into your browser (following the procedures for your browser -- it has nothing to do with Tomcat). Then, when the server is set up to challenge for client certificates (which it will if you use CLIENT-CERT as the authentication mechanism, or you've set the clientAuth attribute on the HTTPS connector), the browser will pop up a dialog asking you which of your client certificates you want to send in response. I think we need to find this thing out., Craig -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 16:59 To: Tomcat Users List Subject: Re: client authorization. On Wed, 17 Jul 2002, Anthony Geoghegan wrote: Date: Wed, 17 Jul 2002 11:18:33 +0100 From: Anthony Geoghegan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: client authorization. Is it possible to use client certificate authorization without a password and its associated dialog? Tomcat 4.x can do this. See the docs for the version of Tomcat you are using: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: client authorization.
What if the client isn't a browser but a Microsoft ASP based HTTPXML call? Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, July 17, 2002 5:09 PM Subject: RE: client authorization. On Wed, 17 Jul 2002, Tathagat (London) wrote: Date: Wed, 17 Jul 2002 16:03:30 +0100 From: Tathagat (London) [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: client authorization. They only describe how to get a certificate on server side. I mean server can show a certificate to client, but it does not say how do the client sends a certificate to the server. You need to import a *client* certificate into your browser (following the procedures for your browser -- it has nothing to do with Tomcat). Then, when the server is set up to challenge for client certificates (which it will if you use CLIENT-CERT as the authentication mechanism, or you've set the clientAuth attribute on the HTTPS connector), the browser will pop up a dialog asking you which of your client certificates you want to send in response. I think we need to find this thing out., Craig -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 16:59 To: Tomcat Users List Subject: Re: client authorization. On Wed, 17 Jul 2002, Anthony Geoghegan wrote: Date: Wed, 17 Jul 2002 11:18:33 +0100 From: Anthony Geoghegan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: client authorization. Is it possible to use client certificate authorization without a password and its associated dialog? Tomcat 4.x can do this. See the docs for the version of Tomcat you are using: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: client authorization.
then it really has nothing to do with Tomcat. Your ASPs need to implement SSL (sorry i'm not versed in ASP :) In Java you would need to import the client certificate (if not certified by a certified CA) into the JVM and tell it to trust it explicitly. d. Anthony Geoghegan wrote: What if the client isn't a browser but a Microsoft ASP based HTTPXML call? Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, July 17, 2002 5:09 PM Subject: RE: client authorization. On Wed, 17 Jul 2002, Tathagat (London) wrote: Date: Wed, 17 Jul 2002 16:03:30 +0100 From: Tathagat (London) [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Subject: RE: client authorization. They only describe how to get a certificate on server side. I mean server can show a certificate to client, but it does not say how do the client sends a certificate to the server. You need to import a *client* certificate into your browser (following the procedures for your browser -- it has nothing to do with Tomcat). Then, when the server is set up to challenge for client certificates (which it will if you use CLIENT-CERT as the authentication mechanism, or you've set the clientAuth attribute on the HTTPS connector), the browser will pop up a dialog asking you which of your client certificates you want to send in response. I think we need to find this thing out., Craig -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 16:59 To: Tomcat Users List Subject: Re: client authorization. On Wed, 17 Jul 2002, Anthony Geoghegan wrote: Date: Wed, 17 Jul 2002 11:18:33 +0100 From: Anthony Geoghegan [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: client authorization. Is it possible to use client certificate authorization without a password and its associated dialog? Tomcat 4.x can do this. See the docs for the version of Tomcat you are using: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html Best Regards, Anthony Geoghegan. J2EE Developer CPS Ireland Ltd. Craig -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- David Mossakowski [EMAIL PROTECTED] Instinet Corporation 212.310.7275 *** Disclaimer This message is intended only for the use of the Addressee and may contain information that is PRIVILEGED and/or CONFIDENTIAL or both. This email is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this email is not an intended recipient, you have received this email in error and any review, dissemination, distribution or copying is strictly prohibited. If you have received this email in error, please notify the sender immediately by return mail and permanently deleting the copy you received. Thank you. *** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Need help with SSL Client Authorization
Hi all, I know this is at least the third request I have seen regarding this topic. Maybe we need more information in the Tomcat documentation? I've been trying for a day now to get this to work without success. Hopefully someone here can help. I'm running Tomcat 4.0.2 in standalone mode. I have enabled SSL with the following configuration in my server.xml : Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=10 debug=99 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory debug=1 clientAuth=true protocol=TLS/ /Connector This configuration works fine with secure=false (i.e. no client authentication) First, I used keytool to add the tomcat alias to USER_HOME/.keystore. Then, I used OpenSSL (OpenSSL 0.9.6c 21) to create a CA, and have added that CA to the cacerts keystore (using -trustcacerts with keytool). I then used the local OpenSSL CA to request and then sign a user certificate. I am testing my server-side configuration in two ways that both fail. In both cases, I have set javax.net.debug=ssl for the server. 1) Convert both the user and CA certificates to PKCS12, import them both into Internet Explorer, and then attempt to go to https://localhost:8443/index.html . This gets me a Page cannot be displayed error on the client side. On the server side I get handshake-failed messages. 2) Run a Java program that uses the user certificate to connect to TC. This program fails with an exception: Exception in thread main javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate . On the server side i get certificate_unknown error messages. I'm more concerned with the second case, since this is closer to what we are actually trying to do, although I need to get both scenarios working. Can anyone summarize the criteria used by Tomcat+SSL to determine that the certificate passed over was unknown? What exactly is the role of the self-signed Tomcat alias certificate that is required? Thanks in advance, Michael Michael Migdol Senior Staff SW Engineer 1380 Bordeaux Drive Sunnyvale, CA 94089 work 408-907-6265 cell 408-375-8001 Supercharge your telephone! -- write your VoiceXML application for free at http://cafe.bevocal.com BeVocal Cafe - Rated #1 VoiceXML development environment and voice hosting service by CT Labs! -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]