Read client certificate in a Servlet

I have an app in a tomcat server, and I'm trying to read a client certificate. It's the first time I work with SSL, so probably I am doing something wrong. I don't want client validation, I just need to read the certificate content and send it to a webservice for validation and info retrieval. The problem is that I am unable to read the certificate content.

I already created a keystore and self-signed certificate for the server. The user certificate is on the browser (The user certificate is a valid one, not self-signed). The ssl connector configuration in server.xml is:

<Connector acceptCount="100" clientAuth="want" keystoreFile="/c:/temp/server.jks" keystorePass="password" disableUploadTimeout="true" enableLookups="true" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>

If I try to get the cipher suite : req.getAttribute("javax.servlet.request.cipher_suite"), I get the value TLS_DHE_DSS_WITH_AES_128_CBC_SHA

But when I try to read the certificates with req.getAttribute("javax.servlet.request.X509Certificate"), I just get a null value.

I have googled a little, and I read things such as that an Apache server is needed to retrieve the certificate, and then send it to Tomcat server. Is the Apache server really needed, or is Tomcat enough? In any case, what should I do to read the client certificates?

The reason you get null is because the client was not authenticated. 'clientAuth = want' permits the client to connect without authentication. To require authentication, you must set 'clientAuth = true'.

If I do that, then I get an error message, because server can't validate the certificate (It does not even ask me to choose a certificate). The user certificate is 100% valid.

If I do that, then I get an error of type: ssl_error_bad_cert_alert. I am not even prompted to choose a certificate. The personal certificate is 100% valid, as I use it for official issues.

The server must send a list of trusted certificate authorities to the client. It uses the truststore file for this purpose. Look at the tomcat configuration documentation for how to do this. Make sure that at least one of the CA certificates in the server's truststore matches the issuer of your client certificate.

If, for example, your server says it trusts Verisign, the client-side gui will only prompt you to choose amongst your certificates signed by Verisign. If your server sends nothing, your client won't even bother you, it will just fail the connection.

I finally made it (or almost). I found an article on how to create and install server an client certificates (I found many, but this one is the first complete)

http://oshogsb.blogspot.com/2007/07/how-to-create-custom-ca-and.html

I configured connector, so that server request a certificate:

<Connector acceptCount="100" clientAuth="true" keystoreFile="/C:/OpenSSL/bin/ssl/server/server.ks" keystorePass="password" truststoreFile="/C:/OpenSSL/bin/ssl/server/server.ks" truststorePass="password" truststoreType="JKS" disableUploadTimeout="true" enableLookups="true" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" scheme="https" secure="true" sslProtocol="TLS"/>

And now I can read the certificate with this code:

String cipherSuite = (String) req.getAttribute("javax.servlet.request.cipher_suite"); if (cipherSuite != null) { X509Certificate certChain[] = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); if (certChain != null) { for (int i = 0; i < certChain.length; i++) { System.out.println ("Client Certificate [" + i + "] = " + certChain[i].toString()); } } }

The only problem now, is that I don't need authentication in the wole context. I just need tomcat to read the certificate in an specific url (Just read the certificate and be able to read it on the servlet) How can I achieve this. I found this: http://mail-archives.apache.org/mod_mbox/tomcat-users/200302.mbox/%3C62E22079089F134682AD19324A0C115F04C284@christine.alfa-ariss.com%3E but it didn't work