Return-Path: <Craig.McClanahan@eng.sun.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 90658 invoked from network); 3 Oct 2000 18:09:48 -0000
Received: from mercury.sun.com (192.9.25.1)
  by locus.apache.org with SMTP; 3 Oct 2000 18:09:48 -0000
Received: from taller.eng.sun.com ([129.144.124.34])
	by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA21830
	for <tomcat-user@jakarta.apache.org>; Tue, 3 Oct 2000 11:09:48 -0700 (PDT)
Received: from eng.sun.com (florence [129.144.251.146])
	by taller.eng.sun.com (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id LAA26161
	for <tomcat-user@jakarta.apache.org>; Tue, 3 Oct 2000 11:09:45 -0700 (PDT)
Message-ID: <39DA2130.4574E1D9@eng.sun.com>
Date: Tue, 03 Oct 2000 11:10:56 -0700
From: "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
X-Mailer: Mozilla 4.75 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-user@jakarta.apache.org
Subject: Re: IE4 SSL -> Tomcat 4 (clientAuth=true)
References: <4115CB6C1B39D21198470008C71EC6CDB73724@tte-nt2>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

See below.

"O'Hagan, Shaun" wrote:

> Hi Criag,
>
> Thanks for the answer
>
> >The stack trace is an ugly way for Tomcat 4.0 to respond (which will be
> fixed),
> >but the key issue is that you need to go acquire a *client* certificate
> from
> >some certificate authority (Verisign has free 30-day trial certificates in
> the
> >US, not sure about Europe), and install it in your browser.  What's
> happening is
> >that Tomcat is asking your browser to upload it's certificates, but you
> don't
> >have installed so it is not able to validate you.
>
> I followed your advice and obtained a certificate from verisign but I'm
> still getting the same error and having alot of frustration here :-(
>

I'm not sure we are talking about the same thing yet.

For client authentication to be used, you have to get a certificate for your
*client* (i.e. your browser), and install it there (I'm sure the Verisign site
has instructions for this, because that's exactly what I did) -- you would be
using "keytool" only if you're generating a *server* certificate.  You might
want to do this later, instead of the self-signed certificate that has already
been created, but it does not have anything to do with client authentication.

Once you get a client certificate installed correctly and access the protected
site, your browser will say something like "this site is requesting a client
certificate; which one should I send?" and offer you a dialog box containing all
the client certificates you've imported into your browser.

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat