For JSSE, you need to have the signer in cacerts at the moment for Tomcat to include it in the list of signers it wants. PureTLS allows you to configure the list (without being root), but other problems mean that you can only use it in TC 5 HEAD at the moment.
Of course, the Tomcat support for CLIENT-CERT is pretty minimal at the moment. Only the (deprecated) MemoryRealm supports it (unless you write your own Realm). "Dean Thompson" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi!, > > I was wondering whether somebody might be able to explain what I am > doing wrong with regards to the introduction of client certificates > being used as a means for authentication under Tomcat v4.1.24 under > Solaris 8, JDK 1.4.1_02. > > I have established my own little CA using OpenSSL 0.9.7b and have > generated my own self-signed certificate as well as signing a > certificate for my WWW server. I have imported the WWW certificate into > the java keystore with a little import key program by Joachim Karrer & > Jens Carlberg. > > So far, everything is fine, I can download the CA certificate to my PC > running Internet Explorer 6 and install it as a .p12 file. This allows > me to access my WWW site via "https" without any problems. > > Problems start to appear when I generate a client certificate. Using > the same CA, I generate and sign a certificate for a user. I then > convert this certificate to a .p12 file using a command such as the > following: > > openssl pkcs12 -export -in mycert.crt -in mykey.key -out mycert.p12 > > This can be loaded into the IE certificate manager as a personal > certificate. IE will even confirm that the certificate is part of the > chain belonging to the CA and that the certificate is trusted. > > Problems arise when I get tomcat to request a client certificate using > the CLIENT-CERT authentication method. When tomcat hits this point it > instructs IE to pop up a list of certificates that I can choose from. > The problem is that the list is empty, there are no certificates to > choose from. > > According to the reading that I have done, tomcat should send IE the WWW > certificate "issuer" information, and IE should scan its database and > present the certificates which came from the issuer. This doesn't happen. > > Can anyone possibly suggest a reason as to why this behaviour is > happening and what the solution is to it? I would be interested to hear > from anyone who has actually implemented client authentication with > Tomcat, especially the generation of the CA and client certificates. > > Thanks in advance. > > Dean Thompson --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
