i will try to make this brief
i generated my own client and server private keys with open_ssl and also self signed certificates.
so i have
1 self signed cert+private key for client
1 self signed cert+private key for server
I simulate SSL server with openssl s_server with the generated server private key – setup is to require client certificates and verify depth 1
And now it gets interesting
No outbound SSL certs are setup on the Admin page,
directories remain ‘unspecified’
I only have the server’s self signed cert in my IS trusted certificate dir, which is set up on the same cert page
using setKeyAndChain with my client certificate and private key (both in DER format) i try to connect to the localhost s_server port…
I can see the complete handshake process and the SSL handshake fails on the s_server side because NO CLIENT CERTIFICATE IS SENT. The chain is empty!
Could someone please try to explain why???
I disable the setKeyAndChain in the flow and use https call directly. I set up the same paths which I used for setKeyAndChain in the Admin/Certificates page.
Since its self signed, I don’t have any CA certificate.
Result - NO client certificate sent
Still disabled setKeyAndChain, I put the same client certificate also into server’s CA (same path)
Result - WORKS! Handshake gets completed
Alas, this doesn’t solve my problem, since the ‘real’ server running tomcat rejects this kind of certificate chain/request with error -‘User trying to act as CA’
I used the s_server to see what exactly the IS sends out and it confirmed that the client certificate is never sent when using setKeyAndChain
No matter how many certificates I put in as input, in the IS SSL debug log, I get ‘No client certificate available, sending empty request’…
All certificates are correct, I could import them into IE/Firefox, verified ok with open_ssl
Please give me your thoughts on this…
IS - 184.108.40.206
Windows Server 2003
Standard Edition Service Pack 2
Oracle Express 10