1. Generate server certificate (stored in jks) with
keytool -genkey -keystore server.keystore -keyalg rsa -alias server
2. Insert into server.xml
<Connector
className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter
name="keypass"
value="xxxxxxxx">
</Parameter>
<Parameter
name="port"
value="8443">
</Parameter>
<Parameter
name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler">
</Parameter>
<Parameter
name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory">
</Parameter>
<Parameter
name="keystore"
value="<path-to>/server.keystore">
</Parameter>
<Parameter
name="clientAuth"
value="false">
</Parameter>
</Connector>
This defines SSL-connection without client authentication, it works fine
both with Netscape and IE. Next I want to add client's certificates:
3. Generate client certificate in keystore and export it to file:
keytool -genkey -keystore client.keystore -keyalg rsa -alias client
keytool -export -keystore client.keystore -alias client -file
client.cer
4. Import client certificate to server keystore:
keytool -import -keystore server.keystore -alias server -file
client.cer
5. Install client.cer on client (browser) side. I couldn't install it in
Netscape,
but in IE it has appeared among "Trusted CA".
6. Change <Parameter name="clientAuth" value="false"> to true in
server.xml
This configuration doesn't work. I tried to import server certificate
into browser,
varios Common Names, and so on. Also I've tried certificates generated
from OpenSSL.
These certificates may be installed as private in Netscape (by providing
"Content-Type: application/x-x509-user-cert" as CGI output). In all this
cases
there is the same result:
1. IE shows failure without any information about failure reason or
talking
about server certificate
2. Netscape talks about server certificate, as usual. After accepting it
claims, that
there is "No User Certificate" (even with certificate, installed from
OpenSSL) and
after this point Tomcat breaks connection and writes
"java.io.SocketError" to service error_log.
Maybe somebody knows, where is my mistake?
Thanks, Michael Tupitsyn