> -----Original Message----- > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > -----Messaggio originale----- > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > -----Original Message----- > > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > > > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > > > > > > > > Ok. > > > > > I made the same thing with IE and in the debug it says "null > > > > > cert chain" > > > > > during the client authentication handshake. > > > > > Now I am confused... > > > > > > > > > > > > > Lets step back and look. > > > > > > > > Can you provide the smart card and server certificate chain > > > (no keys > > > > please)? > > > > > > Hang on a second... > > > The server certificate is an self signed certificate I made with > > > keytool. > > > The smart card certificate, instead, is a real one, I use > to legally > > > sign electronic documents; the issuer is an Italian CA. > > > > > > Do you expect the issuer of the smart card certificate to be the > > > same as the server one? > > > > Not always. > > > > Lets take for example: > > > > > > https://mail.pdinc.us <-PD Inc Public CA<-PD Inc Root CA > > > > and > > > > MySmartCard <- DOD EMAIL CA-15 <- DoD Root CA-2 > > > > The smime cert used on this email > > > > I can use my smart card to auth againstthe server. But the > server must > > know about DoD Root CA-2. > > > > > Ok. In my case: > > > https://localhost <- self signed certificate > and > Mysmartcard <- my certificate <- infocamere root CA > > And in my trusted certificates keystore there is infocamere root CA.
As a point of note, we always avoid using self signed certs for any purpose other than a CA. Lets take 1st few steps on making this more proper. 1. Create a self signed CA cert. 2. Create your web server cert and sign it with the CA. 3. install it (and the chain) in the web server. 4. install the CA into your browser 4a. for IE, it would be the Trusted Root Certification Authorities, 4b. you can do this by browsing to the web server, 4c. ignoring the errors, 4d. viewing the certs (click on the padlock) 4e. look at the chain, (there is a heiarchy right?) 4f. Select and open the root ot the heiarchy 4g. Install cert 4g1. select where to place 4g2. select Trusted Root Certification Authorities (if for all users select all users physical store for TRCA) 5. exit browser (all of the windows, verify iexplore.exe is not running), and revisit server, confirming no security prompts. Let me know if/where you get stuck. > > Please find in attachment a signed text file you can read my > cert info from. > > Thanks > Marcello > -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
