Re: tomcat mutual authentication doesn't work

Fri, 20 Aug 2010 07:41:02 -0700 

Ok. I will follow your steps and get back to you. I will write back in a
couple hours.. 

Thanks very much!

-A


Ognjen Blagojevic-5 wrote:
> 
> On 20.8.2010 0:44, aravidu wrote:
>> I don't have a client.keystore.
>>
>> Commands I used for creating a truststore&  adding keys to it:
>> keytool" -export -alias clientcert -file client-cert.cer -keystore
>> tomcat.truststore
>> keytool" -import -file client-cert.cer -alias clientcert -keystore
>> tomcat.truststore
> 
> That is wrong since you are configuring Tomcat to trust itself.
> 
> What you need to do is to configure Tomcat to trust the client, and to 
> add client *private and public key* (pkcs12 file) to Firefox. So, you 
> don't import .cert file (that is just public key) into Firefox but 
> .pkcs12/.p12 file (it contains both private and public key).
> 
> You need to delete tomcat.truststore you created, and do steps 2-5 as I 
> described:
> 
>>> 2. generate ClientPublic+ClientPrivate in, say, client.keystore file,
>>> 3. import ClientPublic in tomcat.truststore, and
>>> 4. import ClientPublic+ClientPrivate (usually in form of pkcs12 file) in
>>> firefox ("Your certificates" tab inside certificate manager).
>>> 5. import ServerPublic in firefox
>>>
>>> Something like this:
>>>
> (...)
>>> 2. keytool -genkeypair -keystore client.keystore ...
>>>
>>> 3a. keytool -exportcert -keystore client.keystore -file client.cert ...
>>> 3b. keytool -importcert -keystore server.truststore -file client.cert
>>> ...
>>>
>>> 4a. convert client.keystore to client.pkcs12 (google for that)
>>> 4b. Firefox, Tools, Options, Advanced, View Certificates, Your
>>> certificates, Import, client.pkcs12
>>>
>>> 5. Point firefox to webapp, add security exception.
> 
> Regards,
> Ognjen
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: 
http://old.nabble.com/tomcat-mutual-authentication-doesn%27t-work-tp29486233p29492500.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to