Version of tomcat is 7.0.54 and APR connector configuration looks like this:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" connectionTimeout="600000" SSLPassword="pass" SSLCertificateFile="c:\programs\eis\tomcat-ssl\cert.crt" SSLCertificateKeyFile="c:\programs\eis\tomcat-ssl\cert.key" SSLCACertificateFile="c:\programs\eis\tomcat-ssl\cacert.pem" SSLVerifyClient="require" /> When APR connector is used, "javax.servlet.request.X509Certificate" attribute in request is null. This attribute should be filled by tomcat's Http11AprProcessor. Client certificate (SSLSocket.getInfoB(socketRef, SSL.SSL_INFO_CLIENT_CERT)) is present in this processor, but retrieving certLength (SSLSocket.getInfoI(socketRef, SSL.SSL_INFO_CLIENT_CERT_CHAIN)) returns error (value -1), and therefore before mentioned "javax.servlet.request.X509Certificate" attribute is not filled. This happens when using chrome/firefox but not with internet explorer. This behavior was reported and fixed as a bug in tomcat 5 ( https://issues.apache.org/bugzilla/show_bug.cgi?id=37869) but apparently it was changed back to previous behavior in some of tomcat 6 release. Using java connector works fine but we would like to have this worked also with APR connector. Any ideas? Thanks