tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henrik Schultz" <>
Subject Client certificate does not show in browser
Date Wed, 13 Feb 2002 08:26:21 GMT

Greetings All,

I am trying to get client certificates to work with Tomcat 4. Basically I
seem to almost have it working, as follows:

First the SSL setup:

- Installed JSSE
- Created a self-signed server certificate, and installed in TC keystore
- Defined SSL service in server.xml

This works fine, the server responds fine on port 443 and the browser asks
if I wish to accept and install the server certificate in the trusted root
keys keystore.

Then the client certificate setup:

- Installed OpenSSL to have finer control over key and certificate
- Generated self-signed CA certificate
- Generated client certificate, and signed it using the CA certificate
- Distributed CA certificate to browser (IE 5.5), which installed it fine
in the trusted root keystore.
- Distributed client certificate to browser, which also installs fine in
the private keystore.

Finally modified Tomcat to use client certificates:

- Installed CA certificate in $JAVA_HOME/jre/lib/security/cacerts using
- Modified server.xml to request client certificate

Now... (drumroll please) ... when connecting to the server, IE shows a
pop-up dialog asking me to choose a certificate.
However, the list box is EMPTY, so here everything comes to a grinding halt

I've searched the FAQ's, and the good guys who wrote OpenSSL says that if
this happens, it is likely because the server sends a list of trusted root
CA's, and the browser then only list certificates that have been signed by
one of these CA's. In other words,  unless your SSL enabled server includes
the certificate of the CA who signed the client certificate in the
handshake, your personal cerificate will never show up.
But, I DID install my CA certificate in the JRE cacerts file, and using
OpenSSL's 's_client' option I can see that the server in fact includes my
CA certificate in the SSL handshake.

Anynone else have had succes with this, that could shed some light on this,
or perhaps suggest ways of double-checking the setup?

Best regards -

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message