Home > Net >  How to use client certificate with tomcat 9?
How to use client certificate with tomcat 9?

Time:09-22

I have recently migrated an application which is protected by client certificates from tomcat 7 to tomcat 9. The tomcat is supposed to validate the client certificates based on the self-signed certificate located in the truststore.

The working tomcat 7 configuration used the following connector (taken from server.xml):

<Connector 
  port="8443" 
  ...
  clientAuth="true" 
  truststoreFile="/usr/share/tomcat/truststore.jks" 
  truststorePass="..." 
/>

I have migrated this according to the official documentation to the following configuration in tomcat 9:

<Connector port="8443" ...>
  <SSLHostConfig protocols="TLSv1.2" certificateVerification="required"
                 truststoreFile="/usr/share/tomcat9/truststore.jks"
                 truststorePassword="..."
                 truststoreType="PKCS12">  
  </SSLHostConfig>
  ...
</Connector>

When starting up tomcat 9, I get the following error:

java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty

Googling this error yields a bunch of results and this usually does seem to point towards an empty/ non-accessible truststore. My truststore is not empty and is located in the same directory also used for the keystore, which can be used without problems. And because the same truststore works with tomcat 7, I am running out of ideas on how to make progress on this issue. Anyone got any ideas? Thank you.

In case it matters, the truststore looks like this:

> keytool -list -keystore truststore.jks                                                                                                                                                                                              

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

mycert, Sep 15, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): ...

CodePudding user response:

Thanks to the analysis and comments by dave_thompson_085 and Piotr P. Karwasz, I could resolve the issue by adding truststoreAlgorithm="SunPKIX" to the connector configuration.

As they pointed out, this answer might be an alternative solution but involves modifying the truststore.

  • Related