You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "O'Hagan, Shaun" <so...@tanning.com> on 2000/10/03 15:04:47 UTC
RE: IE4 SSL -> Tomcat 4 (clientAuth=true)
Hi Criag,
Thanks for the answer
>The stack trace is an ugly way for Tomcat 4.0 to respond (which will be
fixed),
>but the key issue is that you need to go acquire a *client* certificate
from
>some certificate authority (Verisign has free 30-day trial certificates in
the
>US, not sure about Europe), and install it in your browser. What's
happening is
>that Tomcat is asking your browser to upload it's certificates, but you
don't
>have installed so it is not able to validate you.
I followed your advice and obtained a certificate from verisign but I'm
still getting the same error and having alot of frustration here :-(
Q.
When I create the certificate pair with keytool for tomcat and export it to
send to verisign they send me a signed certificate back. Do I do an import
on this ? I've done so but I end up with two entries with my keytool -list,
one for my original tomcat alias and the other for mykey which is the
trustedcertentry. ?
Verisign sent me an email that told me to point my IE55 browser to
http://digitalid.verisign.com/server/trial/trialStep4.htm
install the Test CA Root. This I've done.
But no go. I get this null cert chain error. What can I check on IE5 to
see why it isn't sending what ever it isn't sending ?
Thanks for any help again.
Shaun O'Hagan
Tanning Technology Europe.
--
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat
Re: IE4 SSL -> Tomcat 4 (clientAuth=true)
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
See below.
"O'Hagan, Shaun" wrote:
> Hi Criag,
>
> Thanks for the answer
>
> >The stack trace is an ugly way for Tomcat 4.0 to respond (which will be
> fixed),
> >but the key issue is that you need to go acquire a *client* certificate
> from
> >some certificate authority (Verisign has free 30-day trial certificates in
> the
> >US, not sure about Europe), and install it in your browser. What's
> happening is
> >that Tomcat is asking your browser to upload it's certificates, but you
> don't
> >have installed so it is not able to validate you.
>
> I followed your advice and obtained a certificate from verisign but I'm
> still getting the same error and having alot of frustration here :-(
>
I'm not sure we are talking about the same thing yet.
For client authentication to be used, you have to get a certificate for your
*client* (i.e. your browser), and install it there (I'm sure the Verisign site
has instructions for this, because that's exactly what I did) -- you would be
using "keytool" only if you're generating a *server* certificate. You might
want to do this later, instead of the self-signed certificate that has already
been created, but it does not have anything to do with client authentication.
Once you get a client certificate installed correctly and access the protected
site, your browser will say something like "this site is requesting a client
certificate; which one should I send?" and offer you a dialog box containing all
the client certificates you've imported into your browser.
Craig
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00): Sun Technical Briefing
Session T06 (24-Oct 14h00-15h00): Migrating Apache JServ
Applications to Tomcat