Hi!,
I was wondering whether somebody might be able to explain what I am doing wrong with regards to the introduction of client certificates being used as a means for authentication under Tomcat v4.1.24 under Solaris 8, JDK 1.4.1_02.
I have established my own little CA using OpenSSL 0.9.7b and have generated my own self-signed certificate as well as signing a certificate for my WWW server. I have imported the WWW certificate into the java keystore with a little import key program by Joachim Karrer & Jens Carlberg.
So far, everything is fine, I can download the CA certificate to my PC running Internet Explorer 6 and install it as a .p12 file. This allows me to access my WWW site via "https" without any problems.
Problems start to appear when I generate a client certificate. Using the same CA, I generate and sign a certificate for a user. I then convert this certificate to a .p12 file using a command such as the following:
openssl pkcs12 -export -in mycert.crt -in mykey.key -out mycert.p12
This can be loaded into the IE certificate manager as a personal certificate. IE will even confirm that the certificate is part of the chain belonging to the CA and that the certificate is trusted.
Problems arise when I get tomcat to request a client certificate using the CLIENT-CERT authentication method. When tomcat hits this point it instructs IE to pop up a list of certificates that I can choose from. The problem is that the list is empty, there are no certificates to choose from.
According to the reading that I have done, tomcat should send IE the WWW certificate "issuer" information, and IE should scan its database and present the certificates which came from the issuer. This doesn't happen.
Can anyone possibly suggest a reason as to why this behaviour is happening and what the solution is to it? I would be interested to hear from anyone who has actually implemented client authentication with Tomcat, especially the generation of the CA and client certificates.
Thanks in advance.
Dean Thompson
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
