Hi,

I have been trying to get client authentication running with Tomcat.
However, I keep getting the following exception from tomcat:

java.security.cert.CertificateException: Couldn't find trusted
certificate

I have set clientAuth=true in server.xml of Tomcat. Also Ive created a
keystore file and specified it correctly in server.xml. I say
"correctly" because with clientAuth=false, everything's working fine.
I have also configured the client to send the certificate to the
server during the handshake using the following code:

try{

SSLContext ctx;
KeyManagerFactory kmf;
KeyStore ks;
char[] passphrase = "changeit".toCharArray();

kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream("/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys"),
passphrase);

kmf.init(ks, passphrase);

ctx = SSLContext.getInstance("TLS");

ctx.init(kmf.getKeyManagers(), null, null);

HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
setup();

System.out.println("SSL prepared");
System.setProperty("javax.net.ssl.keyStorePassword","changeit");
System.setProperty("javax.net.ssl.keyStore","/home/ahsan/jakarta-tomcat-4.1.29/webapps/jclarens/webapp/WEB-INF/classes/pk/edu/niit/clarens/client/testkeys");

System.out.println(System.getProperties());
}
catch(Exception e){
System.out.println("Unable to set up SSL Connection");
e.printStackTrace();
}

I am pretty sure the correct client certificate is being send to
Tomcat, as the CN, OU fields etc. of the client certificate are
correctly displayed in packets filtered by Ethereal. What I think is
that some kind of trust store has to be set up on the server side? Ive
been trying to do this for almost two days now, but am unable to make
it work. How can this be set up, and configured with Tomcat? Please
help.

regards,
tahir.