client authentication on iPlanet Web Server 4.1
G.L.Srinivasan
You are writing a Java client talking to a web application. Yoiu want
to
use two-way authentication using client and server certifictes.
You need to install a "server" root cert and a demo/server cert on the
web server. At the server, you need to get the "root" server cert from
VeriSign also.
You are generating a self-signed cert for the client app using "keytool".
But you say that you installed this cert at the server. You use the Admin
server to install the server certs.
You have to enable SSL at the server and at the client app. You fail at
the
"SSL Handshake" phase.
gls
Garban
Fujian Yang wrote:
> Hello,
>
> I'm using SSL to connect a client(written with JSSE1.0.2) and a iPlanet
> web server 4.1. And I want to do both server and client authentication.
>
> For the server authentication I got a trial server certificate from
> Verisign, it works fine.
>
> For the client authentication, I use keytool to generate a self signed
> certificate by issuing the command:
> keytool -genkey -alias myAlias
> and
> keytool -list -rfc -alias myAlias > client.cer.txt
>
> Removed the header in client.cer.txt, I got a self signed certificate.
> It just contains "-----BEGIN CERTIFICATE ...... -----END
> CERTIFICATE-----".
>
> Then on the administration server, I installed this certificate as a
> trusted certificate authority.
>
> But when the client tried to talk with the server using this
> certificate, it caught the exception "javax.net.ssl.SSLException:
> Received fatal alert: handshake_failure (no cipher suites in common)",
> while on the server the error is "Error receiving connection
> (SEC_ERROR_BAD_SIGNATURE - Certificate has invalid signature) "
>
> Can anybody tell me what went wrong here?
>
> Thank you,
> -Fujian
Nelson B. Bolyard (At Home)
>
> Hello,
>
> I'm using SSL to connect a client(written with JSSE1.0.2) and a iPlanet
> web server 4.1. And I want to do both server and client authentication.
>
> For the server authentication I got a trial server certificate from
> Verisign, it works fine.
>
> For the client authentication, I use keytool to generate a self signed
> certificate by issuing the command:
> keytool -genkey -alias myAlias
> and
> keytool -list -rfc -alias myAlias > client.cer.txt
>
> Removed the header in client.cer.txt, I got a self signed certificate.
> It just contains "-----BEGIN CERTIFICATE ...... -----END
> CERTIFICATE-----".
>
> Then on the administration server, I installed this certificate as a
> trusted certificate authority.
>
> But when the client tried to talk with the server using this
> certificate, it caught the exception "javax.net.ssl.SSLException:
> Received fatal alert: handshake_failure (no cipher suites in common)",
> while on the server the error is "Error receiving connection
> (SEC_ERROR_BAD_SIGNATURE - Certificate has invalid signature) "
>
> Can anybody tell me what went wrong here?
>
> Thank you,
> -Fujian
It sounds to me like you tried to use a single self-signed certificate as
both a trusted CA and as a client certificate. That won't work with
Communicator, if I recall correctly. You need two certs, a trusted CA cert
and a separate client auth cert that was issued by the trusted CA (that is,
whose issuer name is the subject name of thr CA cert). The server needs to
know the CA cert and trust it for client auth. The browser needs to know
both certs.
--
Nelson Bolyard (at home) Speaking only for myself.
Nelson B. Bolyard (At Home)
irrelevant. But it may still give you some clues.