I don't know if this applies to Apache Tomcat, but Apache Web Server does not like IE certs. There was an article in Eweek that talked about how Apache follows the standard, and Microsoft (as usual) "innovated" in regards to SSL, TLS, etc. So that Internet Explorer does work quite right with Apache Web Server. This might be what you are seeing. Verisign must have "broken" their certs to work with both IIS and Apache.
Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -----Original Message----- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :-(((( IE tells me: "The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings." In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
