Home > Archive > Java Security > March 2004 > Re: client authentication in tomcat fails: java.security.cert.CertificateException:
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: client authentication in tomcat fails: java.security.cert.CertificateException:
|
|
| Bill Harrelson 2004-03-19, 8:54 pm |
| Have you imported your client's certificate into Tomcats keystore? And, do you have
the cacerts file for Tomcat in a place that it can find it? And, is your cert
chained to a trusted cert in the cacert file that Tomcat can find?
hitectahir wrote:
> Hi,
>
> I have been trying to get client authentication running with Tomcat.
> However, I keep getting the following exception from tomcat:
>
> java.security.cert.CertificateException: Couldn't find trusted
> certificate
>
> I have set clientAuth=true in server.xml of Tomcat. Also Ive created a
> keystore file and specified it correctly in server.xml. I say
> "correctly" because with clientAuth=false, everything's working fine.
> I have also configured the client to send the certificate to the
> server during the handshake using the following code:
>
> try{
>
> SSLContext ctx;
> KeyManagerFactory kmf;
> KeyStore ks;
> char[] passphrase = "changeit".toCharArray();
>
> kmf = KeyManagerFactory.getInstance("SunX509");
> ks = KeyStore.getInstance("JKS");
>
> ks.load(new FileInputStream("/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys"),
> passphrase);
>
> kmf.init(ks, passphrase);
>
> ctx = SSLContext.getInstance("TLS");
>
> ctx.init(kmf.getKeyManagers(), null, null);
>
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> setup();
>
> System.out.println("SSL prepared");
> System.setProperty("javax.net.ssl.keyStorePassword","changeit");
> System.setProperty("javax.net.ssl.keyStore","/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys");
>
> System.out.println(System.getProperties());
> }
> catch(Exception e){
> System.out.println("Unable to set up SSL Connection");
> e.printStackTrace();
> }
>
> I am pretty sure the correct client certificate is being send to
> Tomcat, as the CN, OU fields etc. of the client certificate are
> correctly displayed in packets filtered by Ethereal. What I think is
> that some kind of trust store has to be set up on the server side? Ive
> been trying to do this for almost two days now, but am unable to make
> it work. How can this be set up, and configured with Tomcat? Please
> help.
>
> regards,
> tahir.
| |
| Bill Harrelson 2004-03-19, 8:54 pm |
| Have you imported your client's certificate into Tomcats keystore? And, do you have
the cacerts file for Tomcat in a place that it can find it? And, is your cert
chained to a trusted cert in the cacert file that Tomcat can find?
hitectahir wrote:
> Hi,
>
> I have been trying to get client authentication running with Tomcat.
> However, I keep getting the following exception from tomcat:
>
> java.security.cert.CertificateException: Couldn't find trusted
> certificate
>
> I have set clientAuth=true in server.xml of Tomcat. Also Ive created a
> keystore file and specified it correctly in server.xml. I say
> "correctly" because with clientAuth=false, everything's working fine.
> I have also configured the client to send the certificate to the
> server during the handshake using the following code:
>
> try{
>
> SSLContext ctx;
> KeyManagerFactory kmf;
> KeyStore ks;
> char[] passphrase = "changeit".toCharArray();
>
> kmf = KeyManagerFactory.getInstance("SunX509");
> ks = KeyStore.getInstance("JKS");
>
> ks.load(new FileInputStream("/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys"),
> passphrase);
>
> kmf.init(ks, passphrase);
>
> ctx = SSLContext.getInstance("TLS");
>
> ctx.init(kmf.getKeyManagers(), null, null);
>
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> setup();
>
> System.out.println("SSL prepared");
> System.setProperty("javax.net.ssl.keyStorePassword","changeit");
> System.setProperty("javax.net.ssl.keyStore","/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys");
>
> System.out.println(System.getProperties());
> }
> catch(Exception e){
> System.out.println("Unable to set up SSL Connection");
> e.printStackTrace();
> }
>
> I am pretty sure the correct client certificate is being send to
> Tomcat, as the CN, OU fields etc. of the client certificate are
> correctly displayed in packets filtered by Ethereal. What I think is
> that some kind of trust store has to be set up on the server side? Ive
> been trying to do this for almost two days now, but am unable to make
> it work. How can this be set up, and configured with Tomcat? Please
> help.
>
> regards,
> tahir.
| |
| Bill Harrelson 2004-03-19, 8:54 pm |
| Have you imported your client's certificate into Tomcats keystore? And, do you have
the cacerts file for Tomcat in a place that it can find it? And, is your cert
chained to a trusted cert in the cacert file that Tomcat can find?
hitectahir wrote:
> Hi,
>
> I have been trying to get client authentication running with Tomcat.
> However, I keep getting the following exception from tomcat:
>
> java.security.cert.CertificateException: Couldn't find trusted
> certificate
>
> I have set clientAuth=true in server.xml of Tomcat. Also Ive created a
> keystore file and specified it correctly in server.xml. I say
> "correctly" because with clientAuth=false, everything's working fine.
> I have also configured the client to send the certificate to the
> server during the handshake using the following code:
>
> try{
>
> SSLContext ctx;
> KeyManagerFactory kmf;
> KeyStore ks;
> char[] passphrase = "changeit".toCharArray();
>
> kmf = KeyManagerFactory.getInstance("SunX509");
> ks = KeyStore.getInstance("JKS");
>
> ks.load(new FileInputStream("/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys"),
> passphrase);
>
> kmf.init(ks, passphrase);
>
> ctx = SSLContext.getInstance("TLS");
>
> ctx.init(kmf.getKeyManagers(), null, null);
>
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> setup();
>
> System.out.println("SSL prepared");
> System.setProperty("javax.net.ssl.keyStorePassword","changeit");
> System.setProperty("javax.net.ssl.keyStore","/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys");
>
> System.out.println(System.getProperties());
> }
> catch(Exception e){
> System.out.println("Unable to set up SSL Connection");
> e.printStackTrace();
> }
>
> I am pretty sure the correct client certificate is being send to
> Tomcat, as the CN, OU fields etc. of the client certificate are
> correctly displayed in packets filtered by Ethereal. What I think is
> that some kind of trust store has to be set up on the server side? Ive
> been trying to do this for almost two days now, but am unable to make
> it work. How can this be set up, and configured with Tomcat? Please
> help.
>
> regards,
> tahir.
| |
| Bill Harrelson 2004-03-19, 8:54 pm |
| Have you imported your client's certificate into Tomcats keystore? And, do you have
the cacerts file for Tomcat in a place that it can find it? And, is your cert
chained to a trusted cert in the cacert file that Tomcat can find?
hitectahir wrote:
> Hi,
>
> I have been trying to get client authentication running with Tomcat.
> However, I keep getting the following exception from tomcat:
>
> java.security.cert.CertificateException: Couldn't find trusted
> certificate
>
> I have set clientAuth=true in server.xml of Tomcat. Also Ive created a
> keystore file and specified it correctly in server.xml. I say
> "correctly" because with clientAuth=false, everything's working fine.
> I have also configured the client to send the certificate to the
> server during the handshake using the following code:
>
> try{
>
> SSLContext ctx;
> KeyManagerFactory kmf;
> KeyStore ks;
> char[] passphrase = "changeit".toCharArray();
>
> kmf = KeyManagerFactory.getInstance("SunX509");
> ks = KeyStore.getInstance("JKS");
>
> ks.load(new FileInputStream("/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys"),
> passphrase);
>
> kmf.init(ks, passphrase);
>
> ctx = SSLContext.getInstance("TLS");
>
> ctx.init(kmf.getKeyManagers(), null, null);
>
> HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
> setup();
>
> System.out.println("SSL prepared");
> System.setProperty("javax.net.ssl.keyStorePassword","changeit");
> System.setProperty("javax.net.ssl.keyStore","/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys");
>
> System.out.println(System.getProperties());
> }
> catch(Exception e){
> System.out.println("Unable to set up SSL Connection");
> e.printStackTrace();
> }
>
> I am pretty sure the correct client certificate is being send to
> Tomcat, as the CN, OU fields etc. of the client certificate are
> correctly displayed in packets filtered by Ethereal. What I think is
> that some kind of trust store has to be set up on the server side? Ive
> been trying to do this for almost two days now, but am unable to make
> it work. How can this be set up, and configured with Tomcat? Please
> help.
>
> regards,
> tahir.
|
|
|
|
|