Ok, a step forward
After some changes in my certificates, I have a client that successfully
sends its certificates to the server.
>From the browser, it doesn't connect at all (no certificate pop ups, and no
connection stablished)
Explorer requests now raise the following exception in Tomcat:
Thread-17, WRITE: SSL v3.0 Handshake, length = 2825
Thread-17, READ: SSL v3.0 Alert, length = 2
Thread-17, RECV SSLv3 ALERT: warning, no_certificate
SSL -- handshake alert: no_certificate
Thread-17, SEND SSL v3.0 ALERT: fatal, description = handshake_failure
Thread-17, WRITE: SSL v3.0 Alert, length = 2
PoolTcpEndpoint: Handshake failed
javax.net.ssl.SSLException: javax.net.ssl.SSLProtocolException: handshake
alert: no_certificate
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:61)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
...
But my java client does the handshake correctly. I am using the same
certificates in both cases, any idea about the problem with Explorer?
The java client is working with BASIC authorization level. It still doesn't
work with CLIENT-CERT.
----- Original Message -----
From: "Tathagat (London)" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Tuesday, August 20, 2002 6:02 PM
Subject: RE: Client Certificates on Tomcat 3.3.1
> 1 thing is still unclear to me. DO YOU SEE THE CERTIFICATE POP UP WHEN YOU
> CONNECT TO THE SERVER?
>
> If not you have to include your client side certificate store into your
> $JAVA_HOME\jre\lib\security\cacerts keystore. using keytool -import with
> -trustcacerts option
>
> I use.
>
> keytool -import -alias drkw_root -file InvestmentBankCA_root.pem
> -trustcacerts -keystore cacerts -v
>
> Tell me if you see the certificates already pop up when you connect to the
> website, then I will try to find if anything else is going wrong.
>
> cheers
> Tathagat
>
> -----Original Message-----
> From: Rodrigo Ruiz [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 20, 2002 17:54
> To: Tomcat Users List
> Subject: Re: Client Certificates on Tomcat 3.3.1
>
>
> Tathagat, at this moment I am generating my own self-signed server and
> client certificates :-P
>
> I have no .pem files, as I don't rely on any third provider. The keystore
I
> am using in my server has the following entries:
>
> thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
> thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
> verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
> thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
> thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
> verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
> verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
> verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
> thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
> verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
> tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry,
>
> The last entry is my own server certificate.
>
> From this point, using the KeyMan tool, I do this:
>
> 1. Create an empty keystore
> 2. Import the server certificate as a CA certificate into this new
keystore
> 3. Create a new key pair
> 4. Create a .csr file
> 5. From the server keystore, create a certificate for this .csr (it
creates
> a .cer file with a X509 certificate chain)
> 6. Create a PKCS #12 token
> 7. Import the .cer created at point 5
> 8. Save the token (as a .pfx file)
>
> Once I have this file, I import the server certificate in the trusted CA
> provider store (I can do this directly from the pop-up window that shows
the
> browser on server connection).
>
> Finally, I import the .pfx file into Explorer.
>
> Is it enough importing the server certificate, or do I have to generate a
> .pem file for my server certificate? If so, which tool should I have to
use?
>
> Now it seems to connect to the server, but it still receives an HTTP 401
> error message.
>
> My web-app has activated the CLIENT-CERT authentication scheme. If I relax
> this to BASIC, all seems to work fine. The browser shows the user/password
> dialog box, and I am in :-)
>
> Could it be a problem related to the realm? How do you specified the list
of
> valid users? In CLIENT-CERT mode, you don't have user/password info.
>
> Thanks a lot!
>
> ----- Original Message -----
> From: "Tathagat (London)" <[EMAIL PROTECTED]>
> To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
> Sent: Tuesday, August 20, 2002 5:14 PM
> Subject: RE: Client Certificates on Tomcat 3.3.1
>
>
> > ok,
> > what you have to do is put the certificate provider into your java's
> > security file.
> >
> > keytool -import blah blah (options)
> >
> > what you have to import are ".PEM" files which you get from the
> certificate
> > providers. Then IE will popup your certificates. Please read keytool
> > documentation on sun site and most things will be clear of my mail.
> >
> > cheers
> > Tathagat
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> ----------------------------------------------------------------------
> If you have received this e-mail in error or wish to read our e-mail
> disclaimer statement and monitoring policy, please refer to
> http://www.drkw.com/disc/email/ or contact the sender.
> ----------------------------------------------------------------------
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
