5. Tomcat client authentication: server and browser configuration

In the following sections, you will find how to create, configure and use a trust-store for Tomcat. This trust-store will be used by the server to check if the signature of the client certificate can be trusted. You would have also imported each client certificate public key in the trust-store. But each time you create a new client certificate, you need to import it in your server trust-store, not so handy...

So a good practice is to sign each client certificate by your own CA, and just put the public CA key in the server trust-store.

5.1. Create and populate a trust-store for Tomcat

We need to create a trust-store for Tomcat. This trust-store will hold the public key of our own CA. We will have to generate a keystore containing a dummy keychain, delete it, to have a clean and empty JKS Java keystore. Do the following:

NoteTrust-store password

All the info entered will be ereased except the password. Choose a good one.

[your_prompt]$ keytool -genkey -alias dummy -keyalg RSA -keystore truststore.jks

Now delete the alias dummy, to have an empty trust-store:

[your_prompt]$ keytool -delete -alias dummy -keystore truststore.jks

That's it, we are ready to import our CA public key, do the import:

[your_prompt]$ keytool -import -v -trustcacerts -alias my_ca -file public/ca.crt -keystore truststore.jks

Check your fresh trust-store:

[your_prompt] keytool -v -list -keystore truststore.jks

CautionLoad the truststore at startup

To allow Tomcat to load the trust-store at startup you need to create the environment variable CATALINA_OPTS.

CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/truststore.jks -Djavax.net.ssl.trustStorePassword=your_password"

NoteForce Tomcat to use client authentication

To force your server to request from the client a certificate for authentication, you need to change the value of the attribute "clientAuth" to True in your Tomcat server.xml Connector and Factory.

Once this is done, do not forget to restart your server. Ok, Tomcat is ready to authenticate client-certificate. It is time to import the pkcs12 client certificate in a browser.

5.2. Import a pkcs12 client-certificate into your browser

With Internet Explorer you have the possibility to choose between several security level when importing client certificate. I recommend to choose medium or higth, depending if you want to allow the client user to use the certificate without or only with typing the password.

Also depending on the configuration of your browser, you could have the ability to choose between several client certificate. Select the one you just installed when asked. Type the following url in your browser and enjoy mutual[1] authentication under SSL!


To be continued.



Mutual Authentication: means server authentication + client authentication.