tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Smith <>
Subject RE: Tomcat 5.5 Trust Stores and Client Authentication
Date Mon, 20 Apr 2009 18:21:05 GMT
I think by installing the .cer file, you installed the "public" part of the client certificate.
A .cer file is supposed to contain the publicly distributable portion of the client certificate.

The browsers need the "private" part. That's why it's called a "client certificate".  You
import the .cer file into your Java JKS keystore on the server, and that lets the server know
it can trust the client.  You also have to set up a user account matching the certificate
in tomcat-users.xml for the server portion to function.  And there is a web.xml part too.
 You'll need to import a .p12 file that is generated as part of the whole process into the
browsers.  If you don't have a .p12 file handy, you need to figure out how to get one from
somewhere. You double click on a .p12 file to import it into Window's keystore.  FireFox also
allows you to directly import a .p12 file.  

-----Original Message-----
From: Jorge Medina [] 
Sent: Monday, April 20, 2009 9:49 AM
To: Tomcat Users List
Subject: RE: Tomcat 5.5 Trust Stores and Client Authentication

I have not used client certificates, but in order to use SSL with
self-generated certificates you need to add your server self-signed
certificate to the trusted roots of your Windows account or computer
account. Use the "Certificates" plug-in on an MMC console to perform the

The operation above guarantees that IE can verify the identity of your

When using client-certificates, you need to guarantee the opposite too:
your server needs to be able to verify the identity of the client.

After installing the client certificate on IE, you also need to install
the client-certificate -or the CA root of the client certificate- into
the store used by Tomcat. I would assume that Tomcat uses the JVM trust
store, so you would need to specify:


But the documentation indicates to use the attributes:

...that you already have tried.

So, try setting the variables above.



-----Original Message-----
From: Ron Perkins [] 
Sent: Monday, April 20, 2009 4:14 AM
Subject: Tomcat 5.5 Trust Stores and Client Authentication

Hi All,

I have done the following to create a Trust Store for Tomcat to use:

Created a keystore with new certificate:

keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore
keystore.jks -storepass changeit

Exported certificate:

keytool -export -alias mycert -file mycert.cer -keystore keystore.jks
-storepass changeit

Imported certificate into trust store:

keytool -import -v -trustcacerts alias mycert -keypass changeit -file
mycert.cer -keystore cacerts.jks -storepass changeit

Added the following Connector into server.xml to allow Client


After starting Tomcat up, using netstat I can see that port 443 is

When using IE to test the connection to the https default page I get
IE's no communication web page displayed. If I use Firefox this gives me
the following error: SSL peer cannot verify your certificate (Error
code: ssl_error_bad_cert_alert)

I was expecting a message to say that the client needs a client
certificate? I then installed the client certificate mycert.cer into the
client browsers, but has no effect and I still recevie the same error

To check that I have SSL correctly installed, if I change
clientAuth="true" to clientAuth="false" then default Tomcatwebpage is
displayed within the browsers.

What have I done wrong? I am thinking that it is the way that I have
created the Trust store that is the problem?

Thanks for any help in advance...

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message