Hi all, I know this is at least the third request I have seen regarding this topic. Maybe we need more information in the Tomcat documentation?
I've been trying for a day now to get this to work without success. Hopefully someone here can help. I'm running Tomcat 4.0.2 in standalone mode. I have enabled SSL with the following configuration in my server.xml : <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="false" acceptCount="10" debug="99" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" debug="1" clientAuth="true" protocol="TLS"/> </Connector> This configuration works fine with secure="false" (i.e. no client authentication) First, I used keytool to add the tomcat alias to USER_HOME/.keystore. Then, I used OpenSSL (OpenSSL 0.9.6c 21) to create a CA, and have added that CA to the cacerts keystore (using -trustcacerts with keytool). I then used the local OpenSSL CA to request and then sign a user certificate. I am testing my server-side configuration in two ways that both fail. In both cases, I have set javax.net.debug=ssl for the server. 1) Convert both the user and CA certificates to PKCS12, import them both into Internet Explorer, and then attempt to go to https://localhost:8443/index.html . This gets me a "Page cannot be displayed" error on the client side. On the server side I get "handshake-failed" messages. 2) Run a Java program that uses the user certificate to connect to TC. This program fails with an exception: Exception in thread "main" javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate . On the server side i get "certificate_unknown" error messages. I'm more concerned with the second case, since this is closer to what we are actually trying to do, although I need to get both scenarios working. Can anyone summarize the criteria used by Tomcat+SSL to determine that the certificate passed over was "unknown"? What exactly is the role of the self-signed Tomcat alias certificate that is required? Thanks in advance, Michael Michael Migdol Senior Staff SW Engineer 1380 Bordeaux Drive Sunnyvale, CA 94089 work 408-907-6265 cell 408-375-8001 Supercharge your telephone! -- write your VoiceXML application for free at http://cafe.bevocal.com BeVocal Cafe - Rated #1 VoiceXML development environment and voice hosting service by CT Labs! -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>