I am trying to set up a test environment for our application that uses X.509 client authentication via HTTPS in Tomcat 6.0. The servlet code expects to receive a certificate chain as an array of X509Certificate objects using the javax.servlet.request.X509Certificate servlet request. However, this array contains only one element (client certificate), in which I expect it to have two (client certificate and the root CA certificate that signed it).
Here is what I have done so far:
- Create a self-signed CA certificate using openssl.
- Import the CA certificate as a trusted root certificate into the new Java keystore.
- Configure the Tomcat HTTPS connector to require client authentication using the keystore created in step 2 as a trust:
clientAuth="true"truststoreFile="<path_to_truststore>"
- Create a new client certificate using openssl and sign it with a CA certificate.
- Launch Tomcat.
- Install the client certificate in Chrome and go to the home page of my server. Having selected the code in debugging, I see that the array returned as the
javax.servlet.request.X509Certificate attribute has only a client certificate.
I know that Tomcat collects the CA root certificate from the trust store because when I remove it from the trust store I get an SSL connection error. It just doesn't do it in a servlet request, as the documentation says. Am I missing any additional configuration here? Perhaps Tomcat (or Java or JSSE) expects some additional X509 V3 extensions or something else?
Any help is appreciated!
EDIT
It seems like my setup is legal, and it falls into the category of unusual but expected behavior due to a simplified test environment. In an enterprise scenario, it is unlikely that the root certification authority will directly sign client certificates for individual users. Obviously, when this code was written and tested, there was at least one intermediate CA in the trust chain.
source share