Tomcat Client Authentication using SSL
Update:
Try following way to enable the client authentication in Tomcat.
To make tomcat take advantages of Client Authentication, we require three certificates. i.e A Server Certificate for Tomcat, Client Certificate for the browser and Certificate of the CA which will sign both the above mentioned certificates. Here, I'll show how to do it in Windows.
There are two ways.
You should have a CSR file i.e. a Certificate Signing Request. You can submit it to the Certificate Authority like Verisign or Comodo or many other like them. They'll provide you the certificate. Or
You can create your own Certificate Authority and sign the certificates. But it is recommended to do this for personal use only.
You should have Java and OpenSSL installed to perform the below steps.
To generate the Certificate Signing Request, you should have the key. To generate the key type the following command in CMD.
openssl genrsa -out Serverkey.key 1024
This will generate a file "Serverkey.key". The key size is 1024. You can give it as per your requirement.
Now generate the CSR file with the help of following command.
openssl req -new -key Serverkey.key -out ServerReq.csr -config /path/to/openssl.cnf
Once you execute this command, you'll be asked to give some information. After that, you'll find the CSR file in your directory. You can submit this file to the CA. In case, you are doing this for your personal use, and you want to have your own CA, create a key and CSR for your CA with the help of above given two commands. After you have your CSR for CA, you can sign with the CA's key with the help of following command.
openssl x509 -req -days 365 -in CAReq.csr -signkey CAKey.key -out CA.crt
Once you have the CA certificate, you can use it to sign other certificates.
openssl x509 -req -days 365 -CA CA.crt -CAkey CAKey.key -CAcreateserial -in ServerReq.csr -out Server.crt
You can use the same command for client certificate as well.
The browser which is our client here, will accept the P12 format certificate. P12 format is a file which contains your certificate as well as the key.
To conver the CRT to P12 use the following command.
openssl pkcs12 -export -in Server.crt -inkey ServerKey.key -chain -CAfile CA.crt -out ServerCert.p12
In tomcat, there is one truststore which will have the CA's certificate and another is a keystore which will have server's key and certificate (p12 file).
For importing CA's certificate to truststore use the following command.
keytool -import -alias CertAuth -keystore caCerts.jks -file CA.crt
You can give alias as whatever you want. Note the password that you give when asked after executing the above command. We'll use that password in the server.xml file. Same applies for the below command.
For importing the p12 format certificate to the keystore use the following command.
keytool -importkeystore -destkeystore tomcat.keystore -srckeystore -ServerCert.p12 -srcstoretype PKCS12 -alias 1
Now, change the tomcat's server.xml as following.
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" scheme="https" secure="true"
truststoreFile="path/to/truststorefile" truststorePass="password"
keystoreFile="path/to/keystorefile" keystorePass="password"
clientAuth="true" sslProtocol="TLS"
/>
Now, import the Client's P12 format certificate to the browser. Then, start the tomcat server and try to access https://localhost:8443. You can visit the blog for the detailed version of this answer. Hope this helps.
Here's the really long answer: http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
Don't take my word for it, but I believe that, as a client, client auth will automatically be performed when the server requests it.
If configuring tomcat is the question, have you read http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html? In particular, note the clientAuth attribute of the Connector element.