Thank you so much for your response!! To answer your questions:
1. Yes, they are self-signed certificates.
2. Yes, I am dealing with only one client. I am using firefox.
Here is the tomcat.keystore entry: (i believe this will be my
ServerPrivateKey)
------------------------------------------------
keytool -list -keystore tomcat.keystore
------------------------------------------------
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Aug 15, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5):
56:E0:24:CC:7F:45:6F:C5:F2:07:D0:5C:27:33:04:18
Here is the tomcat.keystore entry: (i believe this will be my
ClientPublicKey)
------------------------------------------------
keytool -list -keystore tomcat.truststore
------------------------------------------------
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
clientcert, Aug 19, 2010, trustedCertEntry,
Certificate fingerprint (MD5):
11:7F:F8:FF:3B:85:CD:A0:72:5C:1B:52:D4:C4:29:E6
I have not worked with SSL before so, I am a bit new to this. See the
difference in these two: keystore has "PrivateKeyEntry" and truststore has
"trustedCertEntry".
I don't have a client.keystore.
Commands I used for creating a truststore & adding keys to it:
keytool" -export -alias clientcert -file client-cert.cer -keystore
tomcat.truststore
keytool" -import -file client-cert.cer -alias clientcert -keystore
tomcat.truststore
I already had a preloaded tomcat.keystore to begin with. So, I did not
change that.
Before making the server request, I went to Firefox-> Options-> Advanced->
View Certificates-> Import-> client-cert.cer
Then, made a server request. First time, server produces it's certificate
and I add the exception (install it into my browser). Upon completion, I see
this error: SSL peer cannot verify your certificate. (Error code:
ssl_error_bad_cert_alert)
Let me know if this doesn't make sense.
Regards,
Aravind.
Ognjen Blagojevic-5 wrote:
>
> On 19.8.2010 22:35, aravidu wrote:
>> I created the keystore and truststore too. keystore has a PrivateKeyEntry
>> and truststore has a trustedCertEntry.
>
> Are those self-signed certificates?
>
> Could you provide exact commands you used to create them?
>
> I believe you must have one key pair for server, and one key pair for
> every client. In other words, at least two key pairs, in case you are
> describing when there is only one client. Let those keys be called
> ServerPublic, ServerPrivate, ClientPublic and ClientPrivate.
>
> You should:
>
> 1. generate ServerPublic+ServerPrivate in tomcat.keystore file,
> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
> 3. import ClientPublic in tomcat.truststore, and
> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
> firefox ("Your certificates" tab inside certificate manager).
> 5. import ServerPublic in firefox
>
> Something like this:
>
> 1. keytool -genkeypair -keystore tomcat.keystore ...
>
> 2. keytool -genkeypair -keystore client.keystore ...
>
> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
> 3b. keytool -importcert -keystore server.truststore -file client.cert ...
>
> 4a. convert client.keystore to client.pkcs12 (google for that)
> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
> certificates, Import, client.pkcs12
>
> 5. Point firefox to webapp, add security exception.
>
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
--
View this message in context:
http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29487220.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
