tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henrik Schultz" <>
Subject Tomcat 4 - OpenSSL - IE client certificate works partially
Date Mon, 01 Jul 2002 14:42:49 GMT

Greetings all...

For those not interested in client certificates at the deep technical
level, this is probably not your favorite cup of tea. Otherwise read on.

Enabling SSL in Tomcat is really no sweat using your own home-made
certificates, thanks to the excellent  HOW-TO. Once you get your root CA
certificate installed in the right places, and a suitable certificate
installed in Tomcat, everything works just fine.

However, creating client certificates that works with IE has (at least for
me) shown to be a real pain. I've experimented for months, and tried
numerous postings on this list, but noone seemed to know the finer details.
It was only recently I had a breakthrough, in that a trial certificate from
Verisign allowed me to compare that and a home-made one, and find the bits
that makes the difference, that is, what it takes for it to be shown on the
selection list in IE when the server asks for a client certificate.
Last night I succeeded. The right combination of keytool and openssl
maneuvres to setup a private CA, finally generated a certificate that
installed without a hitch in IE, and came up when I subsequently connected
to my SSL enabled Tomcat. So far so good.

However there is still one major obstacle ... the server aborts the
connection right away :-((((

IE tells me:

"The page cannot be displayed
The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings."

In other words, the usual message that indicates that the server screwed
up, and closed the connection.

Interestingly enough the Verisign certificate works just fine. So there is
apparently still a difference to Tomcat.
Have tried to connect using openssl s_client - works A-OK, also with my
home-made certificate.
Have looked in the tomcat logs to no avail. There is no trace anywhere why
the connection breaks.

So the question to the list is: how would I go by diagnosing this? I
believe that the problem must be related to the SSL container (?) that
responds to the traffic on port 443, and does all the SSL handshaking,
because my application never sees anything.
Just like in Apache there's an error log for all the pages that fail -
isn't there such a log in Tomcat?

Thanks for any input or advice you might have!

PS. If anyone is interested in a writeup or HOW-TO of making client
certificates for Tomcat, let me know. This is certainly tricky stuff!

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message