I am trying to write a simple application to understand the basics of configuring authentication based on client and server certificates.
I have done everything as it is explained in jave ee 5, java ee 6 tutorials
http://docs.oracle.com/javaee/6/tutorial/doc/glien.html
- Opened example from javaee tutorials hello basicauthorization (just simple servlet which can be accessed only after authentication) and then reconfigured it for client certificates instead of basic authorizations
- Configured web.xml
- Configured glassfish-web.xml
- Generated client certificate
- Imported client certificate so that the server would trust it.
The problem:
When I deploy my application, and follow the link, corresponding to the application, I get a message from glassfish server HTTP Status 400 – No client certificate chain in this request”.
So, it seems, that the client (browser) doesn’t send the certificate with the request
I tried adding the .cer certificate to Chrome, firefox, internet explorer and they are added (no error is displayed), but as you see that doesn’t help.
So, the question is:
How to get the access to my application through the web browser having client .cer certificate?
You can debug ssl on the server-side by adding (somewhere in Glassfish) system properties:
see this page for details.
You can also debug from the client perspective using openssl tool:
you should see something like this:
your problem is probably related to bad truststore configuration on the server-side – server sends some Acceptable client certificate CA names (or no at all), but browser doesn’t have anything to offer – it doesn’t have any private key+certificate issued by acceptable ca.