tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Power-Netz \(Schwarz\)" <>
Subject AW: Tomcat 4 - OpenSSL - IE client certificate works partially
Date Mon, 01 Jul 2002 14:50:21 GMT

This is the answere:

and its really easy.

> -----Ursprungliche Nachricht-----
> Von: Henrik Schultz []
> Gesendet: Montag, 1. Juli 2002 16:43
> An: tomcat-user
> Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially
> Greetings all...
> For those not interested in client certificates at the deep technical
> level, this is probably not your favorite cup of tea. Otherwise read on.
> Enabling SSL in Tomcat is really no sweat using your own home-made
> certificates, thanks to the excellent  HOW-TO. Once you get your root CA
> certificate installed in the right places, and a suitable certificate
> installed in Tomcat, everything works just fine.
> However, creating client certificates that works with IE has (at least for
> me) shown to be a real pain. I've experimented for months, and tried
> numerous postings on this list, but noone seemed to know the
> finer details.
> It was only recently I had a breakthrough, in that a trial
> certificate from
> Verisign allowed me to compare that and a home-made one, and find the bits
> that makes the difference, that is, what it takes for it to be
> shown on the
> selection list in IE when the server asks for a client certificate.
> Last night I succeeded. The right combination of keytool and openssl
> maneuvres to setup a private CA, finally generated a certificate that
> installed without a hitch in IE, and came up when I subsequently connected
> to my SSL enabled Tomcat. So far so good.
> However there is still one major obstacle ... the server aborts the
> connection right away :-((((
> IE tells me:
> "The page cannot be displayed
> The page you are looking for is currently unavailable.
> The Web site might be experiencing technical difficulties,
> or you may need to adjust your browser settings."
> In other words, the usual message that indicates that the server screwed
> up, and closed the connection.
> Interestingly enough the Verisign certificate works just fine. So there is
> apparently still a difference to Tomcat.
> Have tried to connect using openssl s_client - works A-OK, also with my
> home-made certificate.
> Have looked in the tomcat logs to no avail. There is no trace anywhere why
> the connection breaks.
> So the question to the list is: how would I go by diagnosing this? I
> believe that the problem must be related to the SSL container (?) that
> responds to the traffic on port 443, and does all the SSL handshaking,
> because my application never sees anything.
> Just like in Apache there's an error log for all the pages that fail -
> isn't there such a log in Tomcat?
> Thanks for any input or advice you might have!
> PS. If anyone is interested in a writeup or HOW-TO of making client
> certificates for Tomcat, let me know. This is certainly tricky stuff!
> Henrik Schultz
> Senior Systems Architect
> Consultant to Maersk Data AS
> Tel.: +45 39 10 21 13
> Mobile: +45 22 12 24 29
> E-mail:
> --
> To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message