>From your 1., your client cert is self-signed, not signed by your CA cert. Since this amounts to telling the server "I am Dmitry, because I said so", it's a security-risk to accept self-signed client certs, so most HTTPS servers won't accept them. (Of course, it is also the same security-risk to accept self-signed server-certs. However, there is a big difference between clicking Ok in the browser's dialog box, and paging the webmaster at 3AM to agree to accept it ;-).
The easiest thing would be to get a Thawte client-cert (since you don't have to pay for it), and use that instead of your self-signed one. For testing, that is what I do (except that I use my Verisign cert, since my employer pays for that one :). At least with Sun's JSSE, Thawte's Root cert is installed in cacerts by default. Setting up your own CA is only needed if you have to hand out your own client-certs when you move to production. "Dmitry S.Rogulin" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > But (as I pointed out in 3.,4. and 6) I have client cert and CA cert. > The latter I imported to the cacert. > I tried to do the same without Tomact but with very simple HTTP(s) > server and got the same result. So I suggest that I did something > wrong with creating/importing certs. > > But what's wrong? > > BB> You can't generally use a self-signed client cert with JSSE (you can > BB> configure PureTLS to accept it, but another bug means that you'd have to > BB> wait for 4.1.26). The work-around is way too much trouble for the sysadmin, > BB> and I don't feel like being an enabler for a true hideous design. So, > BB> you'll just have to read the JSSE docs for yourself ;-). > > BB> If you need to issue your own client-certs, I'd suggest setting up your own > BB> CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You > BB> can then hand out client certs, and Tomcat will accept them. > > BB> "Dmitry S.Rogulin" wrote in message > BB> news:[EMAIL PROTECTED] > >> Hello all, > >> > >> Sorry for the previous e-mail. %) > >> > >> This theme was discussed about month ago. I tried to use what I've > >> found but I'm still having a problem... > >> > >> I'm trying to do SSL client authentication with Tomcat 4.1.18 > BB> (clientAuth="true"). > >> > >> 1. I've generated a client certificate using keytool: > >> keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore > >> > >> 2. Then I created Certificate Signing Request: > >> keytool -certreq -keyalg RSA -alias tomcat-cl -file > BB> certreq.csr -keystore client.keystore > >> > >> 3. I sent it to CA and got a signed certificate and CA Certificate. > >> 4. I imported them to the client keystore: > >> keytool -import -alias root -keystore client.keystore -file cacert > >> keytool -import -alias tomcat-cl -keystore client.keystore -file > BB> usercert > >> > >> 5. I exported server certificate and imported it as a trusted to the > >> trusted keystore: > >> keytool -import -trustcacerts -alias tomcat -file server.cer -keystore > BB> trust.keystore > >> > >> 6. I imported CA Certificate to "\jre\lib\security\cacerts" : > >> keytool -import -file cacert -keystore > BB> %java_home%\jre\lib\security\cacerts -storepass changeit > >> > >> I'm running Tomcat and test client on the same machine. > >> Server keystore: %USERHOME%\.keystore > >> Client keystore: %USERHOME%\client.keystore > >> Client trusted keystore: %USERHOME%\trust.keystore > >> > >> Test Client: > >> ******************************************** > >> import java.net.*; > >> import java.io.*; > >> import java.util.*; > >> import java.security.*; > >> import javax.net.ssl.*; > >> > >> public class SimpleClient { > >> > >> public static void main(String[] args) { > >> System.setProperty("javax.net.ssl.trustStore", > BB> System.getProperty("user.home")+File.separator +"trust.keystore"); > >> > >> System.setProperty("javax.net.ssl.keyStore", > BB> System.getProperty("user.home")+File.separator +"client.keystore"); > >> System.setProperty("javax.net.ssl.keyStorePassword", > BB> "changeit"); > >> > >> InputStream is = null; > >> OutputStream os = new ByteArrayOutputStream(); > >> > >> try { > >> URL url = new > BB> URL("https://localhost:8443/readme.txt";); > >> > >> try { > >> is = url.openStream(); > >> > >> byte[] buffer = new byte[4096]; > >> int bytes_read; > >> while((bytes_read = is.read(buffer)) > BB> != -1) > >> os.write(buffer, 0, bytes_read); > >> > >> System.out.println(os.toString()); > >> > >> } catch (Exception e) { e.printStackTrace(); } > >> finally { > >> try { > >> is.close(); > >> os.close(); > >> } catch (IOException e) { > BB> e.printStackTrace(); } > >> } > >> > >> } catch (Exception e) { e.printStackTrace(); } > >> > >> > >> } > >> } > >> ******************************************** > >> > >> With [clientAuth="false"] it works fine, but with [clientAuth="true"] > >> it gives an error: > >> > >> java.net.SocketException: Software caused connection abort: recv failed > >> at java.net.SocketInputStream.socketRead0(Native Method) > >> at java.net.SocketInputStream.read(SocketInputStream.java:129) > >> at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275) > >> at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) > >> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > >> > >> What did I do in a wrong way? > >> > >> Thanks in advance. > >> > >> Best regards, > >> Dmitry. > > > > > BB> --------------------------------------------------------------------- > BB> To unsubscribe, e-mail: [EMAIL PROTECTED] > BB> For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
