tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aravidu <>
Subject Re: tomcat mutual authentication doesn't work
Date Thu, 02 Sep 2010 06:12:22 GMT

Hey.. if you are able to read this again, what I am trying to do now is, set
the same thing up in a UNIX box. I created the client keys as i had done
previously and exported the key to my local machine so that I can import it
into my firefox. however, when i try to import the pkcs12 key.. it is not
able to recognize the password i gave. it kept complaining that the password
is incorrect. 

is it because of trying to use a key on windows that was created on UNIX? Do
you think the key is tampered when i do a file transfer? how can i resolve

Thanks much. 

aravidu wrote:
> I tried your steps and it worked!!! Thank you very very much!! You are
> awesome!! :-)
> Ognjen Blagojevic-5 wrote:
>> On 20.8.2010 0:44, aravidu wrote:
>>> I don't have a client.keystore.
>>> Commands I used for creating a truststore&  adding keys to it:
>>> keytool" -export -alias clientcert -file client-cert.cer -keystore
>>> tomcat.truststore
>>> keytool" -import -file client-cert.cer -alias clientcert -keystore
>>> tomcat.truststore
>> That is wrong since you are configuring Tomcat to trust itself.
>> What you need to do is to configure Tomcat to trust the client, and to 
>> add client *private and public key* (pkcs12 file) to Firefox. So, you 
>> don't import .cert file (that is just public key) into Firefox but 
>> .pkcs12/.p12 file (it contains both private and public key).
>> You need to delete tomcat.truststore you created, and do steps 2-5 as I 
>> described:
>>>> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
>>>> 3. import ClientPublic in tomcat.truststore, and
>>>> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file)
>>>> in
>>>> firefox ("Your certificates" tab inside certificate manager).
>>>> 5. import ServerPublic in firefox
>>>> Something like this:
>> (...)
>>>> 2. keytool -genkeypair -keystore client.keystore ...
>>>> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
>>>> 3b. keytool -importcert -keystore server.truststore -file client.cert
>>>> ...
>>>> 4a. convert client.keystore to client.pkcs12 (google for that)
>>>> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
>>>> certificates, Import, client.pkcs12
>>>> 5. Point firefox to webapp, add security exception.
>> Regards,
>> Ognjen
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message