hi panos, Tomcat uses the standart java truststore to authenticate the client cert, not it's keystore. See below for corrections:
----- Original Message ----- From: "Panos Skondras" <[EMAIL PROTECTED]> To: "Tomcat Users" <[EMAIL PROTECTED]> Sent: Thursday, October 03, 2002 12:06 Subject: Tomcat SSL > Hi all again > > I am trying to work with tomcat and ssl with clientauth=true. > I am trying to access the Tomcat on localhost and supply the client > certificate through IE > In tomcat i have a servlet which will print the certificate eventually. > Here are the steps i take > 1.<snip server.xml> > <Connector className="org.apache.catalina.connector.http.HttpConnector" > > port="8443" minProcessors="5" maxProcessors="75" > enableLookups="true" > acceptCount="10" debug="0" scheme="https" secure="true"> > <Factory > className="org.apache.catalina.net.SSLServerSocketFactory" > clientAuth="auth" protocol="TLS" > keystoreFile="c:\keystore\server.keystore" keystorePass="771652"/> > </Connector> > > </snip> > 2. Create the server.keystore > keytool -genkey -alias pask -keyalg rsa -keystore > c:\keystore\server.keystore > > 3.export the key to be put in IE Trust Root Dir > keytool -export -alias pask -keystore c:\keystore\server.keystore -file > server.cer > > 4.In IE Content import the server.cer into Trust Root Dir providers > Up to here if i put clientauth=false in server xml i have https > connection to tomcat with the IE showing it is SECURE the lock appears. > > 5.Now on the same machine i create the client certificate > keytool -genkey -alias pskon -keyalg rsa -keystore > c:\keystore\client.keystore > keytool -export -alias pskon -keystore c:\keystore\client.keystore -file > cl.cer > keytool -import -alias pskon -keystore c:\keystore\server.keystore -file > cl.cer this is the important thing: try keytool -import -alias pskon -keystore %JAVA_HOME%\jre\lib\security\cacerts -file cl.cer I think that the password for cacerts is "changeit", but I am not sure, check the docs for JSSE by Sun if it does not work. Good luck, memo > > I also copy the server.keystore in jre/lib/security just in case > The attributes of the keys are CN=localhost ,ATHENS,ATHENS,ATHENS,GR > When i put back clientauth=true restart catalina 4.0.4 on WINDOWS XP > i get a page cannot displayed sign. > > Am i doing somethig wrong..? > Any ideas are welcome.. > > > > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
