in my case, i am testing with clients authenticating to tomcat with dod cac 
cards. (smartcards)

i downloaded the dod root p7b cert files

i checked/verified the root cert for the client cac card certs, 
 matched the dod root certs (in the p7b files)

i extracted ONLY the root cert's from each p7b file 
  into x.509 base64_encoded .cer file's

then i imported ONLY those dod x509 root certs into tomcat's truststorefile

now when a client browses to tomcat, it tries to authenticate with the 
client-cert (from the cac card)

because tomcat has the root for the client cert loaded into its truststore,   
 and the matching client cert "subject" name (ie: user)  loaded in its auth 
    the client is therefore authenticated

i have more to do but that much is working.

From: Christopher Schultz <>
To: Tomcat Users List <>
Sent: Mon, April 12, 2010 9:32:32 AM
Subject: Re: Installing certificate chain on Tomat

Hash: SHA1


On 4/10/2010 3:31 PM, /U wrote:
>    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreFile="/users/me/.keystore" keystorePass="changeit"
>      />

Are you using APR (aka Tomcat native)?

> I have received the following keys/certs from CA:
>    - file1: private key for myhost
>    - file2: identity certificate for "myhost" signed by "CA1"
>    - file3: certificate for "CA1" signed by "entrust"
> I installed private key (file1) and "myhost" cert (file2) into
> /users/me/.keystore
> using the ImportKey utility.
> I installed the CA1's certificated into "/users/me/.keystore" using keytool.
> My keytool lookslike this:
>    $ keytool -list -keystore /users/me/.keystore 
>    <...password...>

Heh... you mean it's not "changeit"? :)

>    Keystore type: JKS
>    Keystore provider: SUN
>    Your keystore contains 2 entries

Shouldn't that be 3 entries?

>    CA1, Apr 10, 2010, trustedCertEntry,
>    Certificate fingerprint (MD5):
> 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE
>    tomcat, Apr 10, 2010, PrivateKeyEntry, 
>    Certificate fingerprint (MD5):
> CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50

What about the "entrust" one?

> I did not install any certificates into truststore
> (jre/lib/security/cacerts).
> When I connect browser to https://myhost, i get a cert error that
>    "myhost" is signed by "CA1"and cannot be trusted.
> Browser show only one cert (for "myhost") and not show the full
> cert chain ("myhost" -> "CA1" and "CA1" -> entrust).
> Why is the full cert chain not sent to browser.

Because you haven't provided the whole certificate chain to Tomcat.
Tomcat can only send what it already has.

> Since "entrust" CA cert is in browser CA list, if tomcat send full cert
> chain
> to browser, it would be trusted.

Maybe, maybe not. It's possible that the real cert chain goes like this:

myhost -> CA1 -> Entrust -> Entrust Global

If your browser only knows about the "Entrust Global" cert, then your
chain is broken.

Did you follow the instructions on Entrust's web site?
(for chain certs)
(for bare certs, I guess)

Perhaps they are the ones to ask about this.

You might want to ask why they don't "support" a version of Tomcat after

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:


Reply via email to