I had mention the type of the certificate in server.xml:
and now the problem is that I cannot open the https with browser except with netscape browser and it makes me confuse...
1. the question is that how I can view the https from IE because I am gonna use that browser( when I use .jks format for keystore everything goes well but since I have to use client certificate it should be .pfx format)
and tomcat is running well...(
thank you so much :P
If it works with JKS, why can't you use that? The JCA Reference Guide explains that PKCS #12 doesn't support trusted certificates yet, which JKS does, so this may be the problem. You can still use PKCS #12 for the client key, and JKS for the server key and trusted client certificate.
Well, you would use JKS for Java code, and PFX to supply a key for the browser to import into its own keystore, which is different for Internet Explorer and Firefox.
If you're using SSL to authenticate the client, it needs a private key, which can be exported to and imported from a PFX file. If you're using a password to authenticate the client, and only using SSL to authenticate the server, all the client needs is the server certificate.
I wanna use mutual authentication...so both server and client authentication is needed...
till now I could manage to do the server authentication...
the only thing left is the client authentication which I don have any clue that :
1. how to request the client certificate from server
2. is it just a client certificate or is a keystore that contains the client cert+private key?
thanks for guiding me ....
For mutual authentication, each end needs its own private key in its keystore, and a certificate from the other end in its truststore; this certificate could be from the other key, or a CA which has signed it. Tomcat makes the truststore the same as the keystore by default, which can be confusing. You also need to configure Tomcat to ask for the other end’s certificate with the clientAuth setting.
Java 6 also doesn't support a PKCS #12 (PFX or P12) file for the truststore, only JKS or JCEKS.
The browser can get the remote certificate into its trusted certificates from a .CER file. Its private key can be imported from a PKCS #12 file, or it can generate one itself and get it signed online by a CA. You can run your own CA using EJBCA, or one that comes with your OS.
Note that you don’t need to issue the certificates for the browsers yourself. If your users get their client certificates from Brand X CA, you can add Brand X CA’s root certificate to your server’s trust store to accept the client certificates.