tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton Brazhnyk <>
Subject RE: Client certificate does not show in browser
Date Wed, 13 Feb 2002 09:02:14 GMT

> -----Original Message-----
> From: Henrik Schultz []
> Sent: Wednesday, February 13, 2002 10:26 AM
> To: Tomcat Users List
> Subject: Client certificate does not show in browser
> Greetings All,
> I am trying to get client certificates to work with Tomcat 4. Basically I
> seem to almost have it working, as follows:
> First the SSL setup:
> - Installed JSSE
> - Created a self-signed server certificate, and installed in TC keystore
> - Defined SSL service in server.xml
> This works fine, the server responds fine on port 443 and the browser asks
> if I wish to accept and install the server certificate in the trusted root
> keys keystore.
> Then the client certificate setup:
> - Installed OpenSSL to have finer control over key and certificate
> management
> - Generated self-signed CA certificate
> - Generated client certificate, and signed it using the CA certificate
> - Distributed CA certificate to browser (IE 5.5), which installed it fine
> in the trusted root keystore.
> - Distributed client certificate to browser, which also installs fine in
> the private keystore.
> Finally modified Tomcat to use client certificates:
> - Installed CA certificate in $JAVA_HOME/jre/lib/security/cacerts using
> keytool
> - Modified server.xml to request client certificate
> Now... (drumroll please) ... when connecting to the server, IE shows a
> pop-up dialog asking me to choose a certificate.
> However, the list box is EMPTY, so here everything comes to a 
> grinding halt
> :-(
> I've searched the FAQ's, and the good guys who wrote OpenSSL says that if
> this happens, it is likely because the server sends a list of trusted root
> CA's, and the browser then only list certificates that have been signed by
> one of these CA's. In other words,  unless your SSL enabled 
> server includes
> the certificate of the CA who signed the client certificate in the
> handshake, your personal cerificate will never show up.
> But, I DID install my CA certificate in the JRE cacerts file, and using
> OpenSSL's 's_client' option I can see that the server in fact includes my
> CA certificate in the SSL handshake.

It makes sense, BTW could you please point me to that FAQ?
Though I have to say that it seems that advice isn't very usefull,
since my server sertificate and client sertificates are signed with 
the same root certificate and the "Choose cert..." is still empty.

I read about this procedure but it didn't work for me.
I managed to make the certificate chain with local MS certsrv (but it should 
work with other CA's)
Did I do something wrong?

1. Create self signed certificate and private key
keytool -genkey -alias tomcat -keyalg RSA

2. Make certificate request
keytool -certreq -alias tomcat -file request.txt

3. Request certificate chain with 'request.txt' passed to CA
and save it to mycert.cer

4. Get CA root certificate either downloading it from CA or 
exporting from mycert.cer and save it to root.cer

5. Install root certificate to the same 
(not $JAVA_HOME/jre/lib/security/cacerts) keystore
keytool -import -trustcaserts -alias root -file root.cer

6. Install sertificate chain
keytool -import -trustcaserts -alias tomcat -file mycaert.cer

>From this point IE doesn't complain about certificate, but
CLIENT_CERT auth still doesn't work.

> Anynone else have had succes with this, that could shed some 
> light on this,
> or perhaps suggest ways of double-checking the setup?
> Best regards -
> Henrik Schultz
> Senior Systems Architect
> Consultant to Maersk Data AS
> Tel.: +45 39 10 21 13
> Mobile: +45 22 12 24 29
> E-mail:


To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message