tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Migdol <>
Subject Need help with SSL Client Authorization
Date Fri, 22 Feb 2002 17:54:44 GMT
Hi all,

I know this is at least the third request I have seen regarding this topic.
Maybe we need more information in the Tomcat documentation?

I've been trying for a day now to get this to work without success.
Hopefully someone here can help.  I'm running Tomcat 4.0.2 in standalone
mode.  I have enabled SSL with the following configuration in my server.xml

    <Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="8443" minProcessors="5" maxProcessors="75"
	       acceptCount="10" debug="99" scheme="https" secure="true">
      <Factory className=""

               clientAuth="true" protocol="TLS"/>

This configuration works fine with secure="false" (i.e. no client

First, I used keytool to add the tomcat alias to USER_HOME/.keystore.  Then,
I used OpenSSL (OpenSSL 0.9.6c 21)  to create a CA, and have added that CA
to the cacerts keystore (using -trustcacerts with keytool).  I then used the
local OpenSSL CA to request and then sign a user certificate.  

I am testing my server-side configuration in two ways that both fail. In
both cases, I have set for the server.

1) Convert both the user and CA certificates to PKCS12, import them both
into Internet Explorer, and then attempt to go to
https://localhost:8443/index.html .  This gets me a "Page cannot be
displayed" error on the client side.  On the server side I get
"handshake-failed" messages.

2) Run a Java program that uses the user certificate to connect to TC.  This
program fails with an exception:
Exception in thread "main" Couldn't
find trusted certificate .  On the server side i get "certificate_unknown"
error messages.

I'm more concerned with the second case, since this is closer to what we are
actually trying to do, although I need to get both scenarios working. Can
anyone summarize the criteria used by Tomcat+SSL to determine that the
certificate passed over was "unknown"?  What exactly is the role of the
self-signed Tomcat alias certificate that is required?

Thanks in advance,

Michael Migdol
Senior Staff SW Engineer
1380 Bordeaux Drive
Sunnyvale, CA 94089
work 408-907-6265
cell  408-375-8001

		Supercharge your telephone! -- write your VoiceXML
application for free at
		BeVocal Cafe - Rated #1 VoiceXML development environment and
voice hosting service by CT Labs!

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message