You can't generally use a self-signed client cert with JSSE (you can configure PureTLS to accept it, but another bug means that you'd have to wait for 4.1.26). The work-around is way too much trouble for the sysadmin, and I don't feel like being an enabler for a true hideous design. So, you'll just have to read the JSSE docs for yourself ;-).
If you need to issue your own client-certs, I'd suggest setting up your own CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You can then hand out client certs, and Tomcat will accept them. "Dmitry S.Rogulin" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hello all, > > Sorry for the previous e-mail. %) > > This theme was discussed about month ago. I tried to use what I've > found but I'm still having a problem... > > I'm trying to do SSL client authentication with Tomcat 4.1.18 (clientAuth="true"). > > 1. I've generated a client certificate using keytool: > keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore > > 2. Then I created Certificate Signing Request: > keytool -certreq -keyalg RSA -alias tomcat-cl -file certreq.csr -keystore client.keystore > > 3. I sent it to CA and got a signed certificate and CA Certificate. > 4. I imported them to the client keystore: > keytool -import -alias root -keystore client.keystore -file cacert > keytool -import -alias tomcat-cl -keystore client.keystore -file usercert > > 5. I exported server certificate and imported it as a trusted to the > trusted keystore: > keytool -import -trustcacerts -alias tomcat -file server.cer -keystore trust.keystore > > 6. I imported CA Certificate to "\jre\lib\security\cacerts" : > keytool -import -file cacert -keystore %java_home%\jre\lib\security\cacerts -storepass changeit > > I'm running Tomcat and test client on the same machine. > Server keystore: %USERHOME%\.keystore > Client keystore: %USERHOME%\client.keystore > Client trusted keystore: %USERHOME%\trust.keystore > > Test Client: > ******************************************** > import java.net.*; > import java.io.*; > import java.util.*; > import java.security.*; > import javax.net.ssl.*; > > public class SimpleClient { > > public static void main(String[] args) { > System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home")+File.separator +"trust.keystore"); > > System.setProperty("javax.net.ssl.keyStore", System.getProperty("user.home")+File.separator +"client.keystore"); > System.setProperty("javax.net.ssl.keyStorePassword", "changeit"); > > InputStream is = null; > OutputStream os = new ByteArrayOutputStream(); > > try { > URL url = new URL("https://localhost:8443/readme.txt";); > > try { > is = url.openStream(); > > byte[] buffer = new byte[4096]; > int bytes_read; > while((bytes_read = is.read(buffer)) != -1) > os.write(buffer, 0, bytes_read); > > System.out.println(os.toString()); > > } catch (Exception e) { e.printStackTrace(); } > finally { > try { > is.close(); > os.close(); > } catch (IOException e) { e.printStackTrace(); } > } > > } catch (Exception e) { e.printStackTrace(); } > > > } > } > ******************************************** > > With [clientAuth="false"] it works fine, but with [clientAuth="true"] > it gives an error: > > java.net.SocketException: Software caused connection abort: recv failed > at java.net.SocketInputStream.socketRead0(Native Method) > at java.net.SocketInputStream.read(SocketInputStream.java:129) > at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) > at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > What did I do in a wrong way? > > Thanks in advance. > > Best regards, > Dmitry. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
