tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rodrigo Ruiz" <>
Subject Re: Client Certificates on Tomcat 3.3.1
Date Tue, 20 Aug 2002 15:54:19 GMT
Tathagat, at this moment I am generating my own self-signed server and
client certificates :-P

I have no .pem files, as I don't rely on any third provider. The keystore I
am using in my server has the following entries:

thawtepersonalfreemailca, Fri Feb 12 21:12:16 CET 1999, trustedCertEntry,
thawtepersonalbasicca, Fri Feb 12 21:11:01 CET 1999, trustedCertEntry,
verisignclass3ca, Mon Jun 29 19:05:51 CEST 1998, trustedCertEntry,
thawtepersonalpremiumca, Fri Feb 12 21:13:21 CET 1999, trustedCertEntry,
thawteserverca, Fri Feb 12 21:14:33 CET 1999, trustedCertEntry,
verisignclass4ca, Mon Jun 29 19:06:57 CEST 1998, trustedCertEntry,
verisignserverca, Mon Jun 29 19:07:34 CEST 1998, trustedCertEntry,
verisignclass1ca, Mon Jun 29 19:06:17 CEST 1998, trustedCertEntry,
thawtepremiumserverca, Fri Feb 12 21:15:26 CET 1999, trustedCertEntry,
verisignclass2ca, Mon Jun 29 19:06:39 CEST 1998, trustedCertEntry,
tomcat-sv, Tue Aug 20 16:39:06 CEST 2002, keyEntry,

The last entry is my own server certificate.

>From this point, using the KeyMan tool, I do this:

1. Create an empty keystore
2. Import the server certificate as a CA certificate into this new keystore
3. Create a new key pair
4. Create a .csr file
5. From the server keystore, create a certificate for this .csr (it creates
a .cer file with a X509 certificate chain)
6. Create a PKCS #12 token
7. Import the .cer created at point 5
8. Save the token (as a .pfx file)

Once I have this file, I import the server certificate in the trusted CA
provider store (I can do this directly from the pop-up window that shows the
browser on server connection).

Finally, I import the .pfx file into Explorer.

Is it enough importing the server certificate, or do I have to generate a
.pem file for my server certificate? If so, which tool should I have to use?

Now it seems to connect to the server, but it still receives an HTTP 401
error message.

My web-app has activated the CLIENT-CERT authentication scheme. If I relax
this to BASIC, all seems to work fine. The browser shows the user/password
dialog box, and I am in :-)

Could it be a problem related to the realm? How do you specified the list of
valid users? In CLIENT-CERT mode, you don't have user/password info.

Thanks a lot!

----- Original Message -----
From: "Tathagat (London)" <>
To: "'Tomcat Users List'" <>
Sent: Tuesday, August 20, 2002 5:14 PM
Subject: RE: Client Certificates on Tomcat 3.3.1

> ok,
> what you have to do is put the certificate provider into your java's
> security file.
> keytool -import blah blah (options)
> what you have to import are ".PEM" files which you get from the
> providers. Then IE will popup your certificates. Please read keytool
> documentation on sun site and most things will be clear of my mail.
> cheers
> Tathagat

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message