i have made my tomcat secure i.e it now runs on https://localhost. But i can download my contents without authenticating whether my client is the right person or not.I dont want this .The whole concept of ssl goes for a toss.i believe , put the client authentication certificate in cacert file right. I also have a doubt where ceritificate in needed also for client and is yes where should we keep this
Now when i try to access secure server it works fine. All the request and response is also handled well
What i believe(its my assumption, correct me if i am wrong) is that we would require 2 certificates one server has one client should have,which is kept at the client side .I tried to keep this in the cacert file in the security folder.
The reason is I am using Tomcat for testing purpose.But when i go to verisign certified sign this code may fail.
The encryption is initiated by the server and the server's certificate is used to negotiate a secure connection with the client. While you are right that there is information that needs to be shared by the client and server, this isn't 'held' on the client, it is created for the current SSL conversation during the handshake.
I have simplified a bit, but hopefully I'm still correct.