Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Tomcat SSL .Enabling Client authentication with tomcat  RSS feed

Roopa Modugu
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am trying to set up mutual authentication with tomcat.

I am able set up only server authentication by using java keytool and setting clientAuth="false".

now i want to set tup client authnetication i set the clientAuth="true"

created keystore with self signed certificates for both server and client..
set the ssl keystore path to this key store .
i enables ssl log for tomcat.

what i see is the log shows only entry for tomcat key entry. for the server certificate.

it does not show the client certificate.

I m sure my keystore has client certificate.
i know this when i lsited the entries in the key store.
$ keytool -list -keystore tomcat2.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

roopa, Jul 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): AD8:7B:88:5F0:A2:3E:6B:E4:8C:6D:29:CC:B5:A2
tomcat, Jul 24, 2009, PrivateKeyEntry,
Certificate fingerprint (MD5): 34:52:19:6D:3C:06:A8:91:12:4B:F2:1A:B7:1E:5D:4A
mykey, Jul 24, 2009, trustedCertEntry,
Certificate fingerprint (MD5): DE:A7:59:23:09:FF:BC:C4:EC:5B:73:6C:BB:B9:ED:25

I also imported the p12 client certificate into the web browser and tried. it did not work.

I see it that tomcat itself is not able to load the certificate named with alias roopa here.

Where could i go wrong.?

I also tried to import these self signed client certificates into cacerts.jks .it loads all commercial CA certificates but not the self signed client certificates i created.
to work with tomcat the client certificates have to be
CA certified??.

all the information i got from website show that these steps should be enough to make client authentication work.

But its not working for me here..

Here is my server.xml conf.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" scheme="https" secure="true"
debug="5" clientAuth="true" keystoreFile="c:\Roopa\test\tomcat2.keystore" keystorePass="roopanov14" truststorefile="c:\Roopa\test\tomcat2.keystore" truststorepass="roopanov14" sslProtocol="TLS" />.

the password and the path to keystore are correct.

it is loading entry for tomcat.

but not the client certificate entries..

can anybody tell me whats going on where i m going wrong.??


Tim Holloway
Posts: 18713
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You can very definitely use self-signed certs with Tomcat. I'm doing that myself.

I can't see anything immediately wrong with what you listed, but there is (as I understand it) an issue with HTTP itself in that for a given IP address, only one cert can be honored, even if ithe IP address supporting multiple hostnames (virtual hosts).
Ravi Danum
Ranch Hand
Posts: 154
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

How did you enable the ssl logging?

Did you get the client authentication working on Tomcat?

I am so glad to see this posting!

  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!