Hi all This is my very first message in the list.
I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a ssl_error_certificate_unknown_alert or a ssl_error_bad_certificate_alert. SSL without client authentication works perfectly. This is my server configuration: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="C:\apache-tomcat-6.0.20\conf\tomcat.keystore" keystorePass="tomcat" keyAlias="tomcat" truststoreFile ="C:\apache-tomcat-6.0.20\conf\cacerts" truststorePass="changeit"/> tomcat.keystore contains the self signed x509 certificate I use to perform the server ssl handshake. cacerts contains the root certificate of my signature and non repudiation certificate contained in my smartcard. >From tomcat's log I obtained setting up JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that: 1) the root certificate is trusted (imported In cacerts with keytool -import -trustcacert .) adding as trusted cert: Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Algorithm: RSA; Serial number: 0x1 Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 16:47:52 CET 2016 2) The client certificate is taken from the smartcard and It's given to the server; furthermore, the issuer is exactly tue trusted one: *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Marcello Marangio, DNQ=20071112354269, SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN GIO, O=NON PRESENTE, C=IT Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Validity: [From: Wed Nov 21 12:11:08 CET 2007, To: Sun Nov 21 01:00:00 CET 2010] Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT SerialNumber: [ 131b58] 3) the browser (firefox) picks up the correct non repudiation certificate from the smartcard and sends it to the server: [9]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Non_repudiation ] The problem seems to be that tomcat is looking for the digital signature certificate and not the non_repudiation one. http-8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures Is tomcat's behavoir correct or is it a bug? Thanks a million Marcello