Tomcat Mutual ssl configuration

Lately I had to configure tomcat for mutual SSL. I ran into some problems and here is what helped me.

In fact, My problem was not having the correct certification path in my keystore.
I had the following certificate :

"SERIALNUMBER=2010,CN=Government CA,C=BE" 

and the certificate sended by the client was certified by the intermediary :

"SERIALNUMBER=2011,CN=Government CA,C=BE". 

=> the only difference is 2010 => 2011. The problem was solved after adding the correct certificate to my keystore.

here are some tips that helped me to identify the problem

  • these two posts:


  • starting tomcat in ssl debug mode by adding “” to the start command in my
  • knowing the handshake events:
    1. Server Hello
    2. Client Hello
    3. Certificate chain
    4. found trusted certificate
    5. Certificate request
    6. Server Hello done.
    7. Certificate chain
    8. ClientKeyExchange, RSA PreMasterSecret, TLSv1
    9. verify_data
  • here is the correct ssl configuration in tomcat:
    <Connector port="8683" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="true" sslProtocol="TLS" 
    keyAlias="ALIAS OF YOUR CERTIFICATE IN THE keystoreFile"       
    keystoreFile="conf/myKeyStore.jks" keystorePass="myPass"
    truststoreFile="conf/myKeyStore.jks" truststorePass="myPass"/>

Here is what didn’t help me:

  • adding a user with roles in my tomcat-users.xml and adding the following to web.xml
    in tomcat-users.xml:
    <user username="Full CN of the client certificate" password="null" roles="secureconn"/>
    in web.xml of my application

Hope this will help someone facing the same problem : check all your CN of the certificate in your keystore and check that the chain is complete.


One thought on “Tomcat Mutual ssl configuration”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s