You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "O'Hagan, Shaun" <so...@tanning.com> on 2000/10/03 15:04:47 UTC

RE: IE4 SSL -> Tomcat 4 (clientAuth=true)

Hi Criag,

Thanks for the answer

>The stack trace is an ugly way for Tomcat 4.0 to respond (which will be
fixed),
>but the key issue is that you need to go acquire a *client* certificate
from
>some certificate authority (Verisign has free 30-day trial certificates in
the
>US, not sure about Europe), and install it in your browser.  What's
happening is
>that Tomcat is asking your browser to upload it's certificates, but you
don't
>have installed so it is not able to validate you.

I followed your advice and obtained a certificate from verisign but I'm
still getting the same error and having alot of frustration here :-(

Q.

When I create the certificate pair with keytool for tomcat and export it to
send to verisign they send me a signed certificate back.  Do I do an import
on this ?  I've done so but I end up with two entries with my keytool -list,
one for my original tomcat alias and the other for mykey which is the
trustedcertentry. ?

Verisign sent me an email that told me to point my IE55 browser to 
 http://digitalid.verisign.com/server/trial/trialStep4.htm 

install the Test CA Root.  This I've done.

But no go.  I get this null cert chain error.  What can I check on IE5 to
see why it isn't sending what ever it isn't sending ?

Thanks for any help again.

Shaun O'Hagan

Tanning Technology Europe.

--
====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

Re: IE4 SSL -> Tomcat 4 (clientAuth=true)

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

See below.

"O'Hagan, Shaun" wrote:

> Hi Criag,
>
> Thanks for the answer
>
> >The stack trace is an ugly way for Tomcat 4.0 to respond (which will be
> fixed),
> >but the key issue is that you need to go acquire a *client* certificate
> from
> >some certificate authority (Verisign has free 30-day trial certificates in
> the
> >US, not sure about Europe), and install it in your browser.  What's
> happening is
> >that Tomcat is asking your browser to upload it's certificates, but you
> don't
> >have installed so it is not able to validate you.
>
> I followed your advice and obtained a certificate from verisign but I'm
> still getting the same error and having alot of frustration here :-(
>

I'm not sure we are talking about the same thing yet.

For client authentication to be used, you have to get a certificate for your
*client* (i.e. your browser), and install it there (I'm sure the Verisign site
has instructions for this, because that's exactly what I did) -- you would be
using "keytool" only if you're generating a *server* certificate.  You might
want to do this later, instead of the self-signed certificate that has already
been created, but it does not have anything to do with client authentication.

Once you get a client certificate installed correctly and access the protected
site, your browser will say something like "this site is requesting a client
certificate; which one should I send?" and offer you a dialog box containing all
the client certificates you've imported into your browser.

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat