Hi Chris Sure, I will maintain same thread .Thanks for your input.
I just follow below link to generate CA certificate . http://oshogsb.blogspot.in/2007/07/how-to-create-custom-ca-and.html(Whichwill help me te create custom CA certificate using OpenSSL) And i just point those generated file to server.xml file. in step 13. The common name of the client must match a user in Tomcat's user realm (e.g.an entry in conf/tomcat-users.xml) which i missed out. Because of this i am unable to access client certificate? On Wed, Sep 4, 2013 at 5:17 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sushil, > > Please maintain a single thread when (repeatedly) asking the same > questions. > > On 9/4/13 5:20 AM, Sushil Prusty wrote: > > <Connector SSLEnabled="true" acceptCount="100" clientAuth="want" > > disableUploadTimeout="true" enableLookups="false" > > keystoreFile="/LocalDev/software/ssl/server/server.ks" > > keystorePass="password" > > truststoreFile="/LocalDev/software/ssl/server/server.ks" > > truststorePass="password" maxThreads="250" port="8443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > scheme="https" secure="true" sslProtocol="TLS" /> > > > > Please let me know is there any extra configuration required to do > > in server side to validate client certificate? > > It sounds like you have already configured client certificate > validation, but it's not working the way you expected. > > First off, I usually see configurations where the "trust store" is > separate from the "key store". Your keystore should be considered > "super secret" and shouldn't change much. Your trust store, on the > other hand, might undergo lots of changes over time to add CA certs, > client certs, etc. > > Second, what do you actually have in your keystore? Since you are > using JSSE, your keystore should contain the server's key and > certificate, plus any CA certificates and intermediate CA certificates > necessary to provide a certificate chain from your server to one the > browser trusts (e.g. VeriSign Top-level -> VeriSign intermediate -> > Your cert). What else do you have in there? In order to verify client > certificates, you'll need to have either the client certificate > itself, or the certificate that signed the client certificate, or a > chain similar to the above (e.g. Cert a -> Cert b -> Cert c -> Your > client cert). > > This may be a simple problem of not having the right CA certificate(s) > in your trust store. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJSJx3RAAoJEBzwKT+lPKRYw9sP+wdGKw7317YDyOKU+OD8eY4O > o9FCWwpCmWzURHpkVA8xxPv3h7nR+yGD/banGwU9NhbGOpTri+CV9okiFEipAttT > CG+kfi98M46tnjL4SrbRmocQgwTQFBADQhom8Kcr6obUvwkpUaT51jhRfDL7Aw3+ > mS/3ZBKpFBrmmHMsRYYsS1+BOsG+AHpZhZso6ErD0qzmtitH9ZFhVPblEPRdZFfs > reByDlkeiMGwhqfdQM2PEj53m9uFaLVgN3musZQOb/gZTJ5O0H7SpIg5YWwaFFN+ > erC54Qc+2HJ0ejuIx8OYFwzDhGyzaRYY6whc9uzaLhurBQVX2IHxnM3MqWenphXe > JC1wkT8ympE1zY4PlFQzGbuAVUaa+HHSNJ4An2RneRamxlDUzIpO0GfH9mK/8tws > rJDfKYv01xNXs2Gz4HQKl/nBq8D0/Xj/cUSXvkIfcKVc+VT894anmK7V3GOojjS1 > BE9mPLJEg0aN3xptNrS64SUMrFPWDSWBIRzOS1mEthHU4zyNjJFS9Agq+HMKa5kp > 2ABYEY6Y0teGeXt4pHFYcACv+tK2+mnKBhzDfVzGYKEz7tzjRk1Fmco5bUnalYLG > E/HCnZaKVcr13wOJHOn2DW2tKHsnmsOxLKTB8a06UBGmRhhTn9nQWCcRCESWHtA1 > LOQKMPyViSEZsktnh/Oq > =eN4a > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
