tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian W H Osborne <>
Subject Re: Cleint Side Certificates
Date Thu, 23 Dec 2004 17:54:53 GMT
Chris wrote:
>>>> Dear All,
>>>> I've been trying to get client/server certificates working with 
>>>> tomcat now for a while and I'm not having much success.  I have 
>>>> generated certificates which have worked successfully with apache 
>>>> but not tomcat.
>>>> I decided to script what I needed to do, so hopefully if anyone can 
>>>> see a problem with what I am doing they can help!!
>>>> I've modified the servers.xml file to clientAuth="true" (btw 
>>>> everything works if it is false), and I've added the path for the 
>>>> key store and the password for the key store, other than that there 
>>>> is nothing unusual in the the config file.
>>> Well, that's your problem then ;-).  You need to configure your 
>>> truststore to tell Tomcat how to validate client certs.  For TC 
>>> 5.x.x, you need to add truststoreFile="/path/to/" and 
>>> truststorePass="<your-password-here>" to your <Connector> element
>>> server.xml.
>> Okay, I'm using version 4.1.29.  I've added in truststoreFile and 
>> truststorePass.  I've pointed truststoreFile at the same keystore as 
>> I'm using for keystoreFile.  But I'm still having a problem.  If I use 
>> Firefox to test it I get "Could not establish an encrypted connection 
>> because your certificate was rejected by ...."
>> I have imported the client side cert into firefox.
>> Still stumped!
>> Thanks in advance
> You need to pass the truststore in as a JVM arguement.  Do a search on 
> the list for SSL.  The exact parameters should be in there.

Hmmm, why do you need to do this?  Surely to get client authentication 
you don't need to start passing extra parameters to Tomcat?

Have been trawling through the archives and can't find the message you mean.



> Chris
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message