I have a web application on Apache Tomcat server A. This webapp makes connection to a server B running somewhere else. This server B requires client authentication with SSL certificate.
What I am trying to achieve is, to make this web application on server A to use SSL client certificate to authenticate on server B.
Therefore I have provided some additional JAVA_OPTS for my Tomcat Server A:
-Djavax.net.ssl.trustStore=/location/keystore.jks
-Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.keyStore=/locaton/keystore.jks
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.debug=ssl
Now this keystore.jks contains three certificates:
tomcat/logs/catalina.out gives this:
Client write key:
0000: some hex
Server write key:
0000:some hex
... no IV used for this cipher
*** CertificateVerify
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 134
pool-1-thread-2, WRITE: TLSv1 Change Cipher Spec, length = 1
Finished
verify_data: { data }
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 32
pool-1-thread-2, READ: TLSv1 Alert, length = 2
pool-1-thread-2, RECV TLSv1 ALERT: fatal, unsupported_certificate
pool-1-thread-2, called closeSocket()
pool-1-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: unsupported_certificate
pool-1-thread-2, called close()
In order to prove the correctness of this keystore I have written a tiny java application which makes connection to the same server B with the same keystore and it successfully negotiates client certificate.
I have tried to change this client certificate to X509 type, but even then I am getting errors and am not able to communicate.
I thought maybe there is something I am missing? Does somebody have experience with this kind of stuff?
Thank you
This looks to be because the client certificate is not enabled for "client authentication" usage. You can verify by opening the certificate and checking under "Details" tab, the "Enhanced Key Usage" field. It should have "Client Authentication" in the field.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.