Hi, Mark, I have the both server and client .cer imported to cacerts but the problem persists
commands to generate the server and client key: Keytool -genkey -alias server -keyalg RSA -keystore serverstore.jks Keytool -genkey -alias client -keyalg RSA -keystore clientstore.jks commands to create client certificate keytool -export -alias client -file clientcert.cer -keystore clientstore.jks commands to create server certificate keytool -export -alias server -file servercert.cer -keystore serverstore.jks commands to import certificates keytool -import -alias client -file clientcert.cer -keystore serverstore.jks under $JAVA_HOME/jre/lib/security/ keytool -import -v -trustcacerts -alias server -file servercert.cer -keystore cacerts -----Original Message----- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 13, 2005 5:12 PM To: Tomcat Users List Subject: Re: SSL mutual communication problem with Tomcat5 --- Remote host closed connection during handshake Hector Adolfo Alonso wrote: > Hi Xia: > I think you cannot use an self-signed certificate (as keytool > generates) for mutual authentication. > User certificate's certificate authority signer shoul be the same that > signs the server certificate. In this case, > the server certificate is self-signed. On the othe hand, who signs the > client certificate ? It's self signed too ? > In this case, there is a problem, because both of them are self signed > --> both of them are signed by > different CAs --> there is a handshake failure. > INHO, Tomcat's cert shoud be signed by a true CA ... then the browser > should recognize CA's cert. > I'm sure there is a more technical and deep explanation, but I hope > this help. This is simply wrong. There is *no* requirement that the client and server certificates must be signed by the same CA for the handshake to work. Possible causes of the problem are: - CA cert client not in $JAVA_HOME/jre/lib/security/cacerts on server - client certificate not created with correct usage types - wrong key algorithm / signing algorithm selected First, get HTTPS working with a server certificate. Then get it working over HTTPS using BASIC auth and then get it working using CLIENT-CERT auth. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]