Client Certificate Problems...

Similar Messages

• Safari client certificate problem w/ Canada Post website

  I am using OSX 10.8.5 and Safari 6.1.1
  I'm trying to use the Canada Post website for online shipping (ship-in-a-click) via the site:
  http://www.canadapost.ca/personal/tools/cst/intro-e.asp
  When I choose my option (in this case INTERNATIONAL) a pop-up opens asking to select a client certificate. A list of five certificates, which are all apparently valid and not expired, is given. No matter which certificate I select I cannot get past this pop up window. It just pops back up again.
  The certificates are all in the form:
  com.apple.idms.appleid.prd. then a very lengthy alpha numeric string
  From what I have read with certificate problems you can just delete them and next time you visit the site will ask you to select a new one. However, in this case, with all the certificates seemingly being valid, I don't think that will be the solution. Although, I am a complete novice when it comes to these issues.
  Can anybody suggest something other than using Firefox/Chrome etc. although if that is the ONLY choice then so be it. But surely this can be solved within Safari, no? The rest of the Canada Post site seems to behave OK with Safari.
  Thank you.

  Neither.  I am on Mavericks and it shows the exact same issue, so it neither fixes the problem or intoduces new ones, at least with my site.
  I also noticed that it is somewhat based on the loction (IP) of the server because on my local laptop (During development) and on our QA server would try and send a certificate that it should not send.  HOWEVER once we implemented the SSL client certificate on our production server it would no longer send the certificate.  I have no idea why and speculate that it is because our production server has a public IP.
  If you want you can use my site and see if the problem persists for you there (http://whf.to); however given the seemingly random why Safari decides to send certificates you may or may not see the issue.  If Safari does indeed send a certificate you should get an error page that details what happened (in somewhat lay-terms).
  Sorry that Mavericks doesn't fix the issue for you.

• SSL client certificate problem with exchange owa

  Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
  When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
  Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
  I cannot get through this dialog because it seems I do not have the required certificate.
  What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
  I do not understand what mobileme has to do with this exchange server at all.
  What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
  Can anybody point in the right direction please ?
  For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
  Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

  Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
  When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
  Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
  I cannot get through this dialog because it seems I do not have the required certificate.
  What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
  I do not understand what mobileme has to do with this exchange server at all.
  What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
  Can anybody point in the right direction please ?
  For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
  Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

• Secure Mobility Client Certificate Problem | scep-forwarding-url

  Hi All,
  I am having a problem configuring SCEP for my secure mobilty client.  I have created a connection profile to allow certificate requestes but when I fill in the scep-forwarding-url field I get an error. 
  The CA we are using is an internal MS CA with SCEP already enabled.  This has been configured for a long time with our current Cisco VPN client using certificate authentication.  The ASA is running 8.4.1.
  Here is the error I get when I try to enter the command into the group policy associated with my certificate enrollement connection profile:
  group-policy SSLGP attributes
  scep-forwarding-url value http://10.1.1.2/certsrv/mscep/mscep.dll
  Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...
  Received 3 CA/RA certificate(s) using the SCEP URL.
  NON-RESIDENT CERT: serial: 11111111000100000145, subject: cn=SCEP_ADD_ON,o=OUNIT,c=UK
  NON-RESIDENT CERT: serial: 11111111000100000146, subject: cn=SCEP_ADD_ON,o=OUNIT,c=UK
  NON-RESIDENT CERT: serial: 11111111478AAB288393FAFf2a3E274, subject: cn=CERTSVR-01
  WARNING: Please check if you have all the required certificate(s) in the config to authenticate the certificates that will be issued using this SCEP URL
  Can someone explain why this is happening as it will not take the config?
  Thanks in advance.
  Ian

  Ian:
  I'am a roockie working on CA. I did the instalation over 2003 server and I checked and scep server is reachable in fact if I enter ther scep url I  get a message regarding the thumbprint and password. I got the same messege regarding the additional trustpoints, but in my environment I just have only one CA server. I notice by the certificate serial that I have the certificates generated on the CA numbered as 2 and 3 respectively but I have three questions.    
  1 .- I checked If the certificates could be exported as a .cer file but I just have two options as .dat or as text but I dont know how to import the text because the format looks different from the text chains we use to generate the trust points.
  2.- Because my config was not working I erased the ASA config and gave a different hostname to the ASA in fact I create an identity certificate with this name ¿Do i need to return to the original hostname?
  3.- Does the TAC gave You additional information on how to deal with CA server?

• Non-Deterministic Exception When Connecting With Wrong Client Certificate

  I am working on an internal application and need to determine the correct client-side SSL certificate to use when connecting to a server (the user can supply multiple client-side certificates). I had expected that if I connected to a server using the wrong client certificate the java client would throw a SSLHandshakeException and I could then try the next certificate. This seems to work some of the time, however the java client will sometimes throw a “SocketException: Software caused connection abort: recv failed”, in which case it is not possible to know that the wrong certificate caused the problem.
  Below is the code I have been using to test as well as the intermittent SocketException stack trace. Does anyone have an idea as to how to fix this problem? Thanks in advance.
  Note: the TrustAllX509TrustManager is a trust manager that trusts all servers.
  protected void connectSsl() throws Exception {
        final String host = "x.x.x.x";
        final int portNumber = 443;
        final int socketTimeout = 10*1000;
        // Note: Wrong certificate (expect SSLHandshakeException).
        final String certFilename = "C:\\xxx\\clientSSL.P12";
        final String certPassword = "certPassword";
        final BufferedInputStream bis = new BufferedInputStream(new FileInputStream(new File(certFilename)));
        final char[] certificatePasswordArray = certPassword.toCharArray();
        final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
        final KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(bis, certificatePasswordArray);
        keyManagerFactory.init(keyStore, certificatePasswordArray);
        final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        final SSLContext context = SSLContext.getInstance("SSL");
        context.init(keyManagers, new TrustManager[]{new TrustAllX509TrustManager()}, new SecureRandom());
        final SocketFactory secureFactory = context.getSocketFactory();
        final Socket socket = secureFactory.createSocket();
        final InetAddress ip = InetAddress.getByName(host);
        socket.connect(new InetSocketAddress(ip, portNumber), socketTimeout);
        socket.setSoTimeout(socketTimeout);
        // Write the request.
        final OutputStream out = new BufferedOutputStream(socket.getOutputStream());
        out.write("GET / HTTP/1.1\r\n".getBytes());
        out.write("\r\n".getBytes());
        out.flush();
        InputStream inputStream = socket.getInputStream();
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        byte[] byteArray = new byte[1024];
        int bytesRead = 0;
        while ((bytesRead = inputStream.read(byteArray)) != -1) {
           outputStream.write(byteArray, 0, bytesRead);
        socket.close();
        System.out.println("Response:\r\n" + outputStream.toString("UTF-8"));
     }Unexpected SocketException:
  main: java.net.SocketException: Software caused connection abort: recv failed
       at java.net.SocketInputStream.socketRead0(Native Method)
       at java.net.SocketInputStream.read(SocketInputStream.java:129)
       at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
       at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
       at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
       at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
       at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
       at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
       at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)

  Thanks for the quick response. Here are answers to the questions:
  1) No, this issue is not associated with one particular certificate. I have tried several certificates and see the same issue.
  2) I agree it would be simpler to only send the required certificate, but unfortunately the project requires that the user be able to specify multiple certificates and, if a client-side certificate is required, the application try each one in turn until the correct certificate is found.
  3) Yes, I realize the TrustAllX509TrustManager is insecure, but I am using this for testing purposes while trying to diagnose the client certificate problem.
  In terms of testing, I am just wrapping the above code in a try/catch block and executing it in a loop. It is quite odd that the same exact code will sometimes generate a SSLHandshakeException and other times a SocketException.
  One additional piece of information: if I force the client code to use "SSLv3" using the Socket.setEnabledProtocols(...) method, the problem goes away (I consistently get a SSLHandshakeException). However, I don't think this solves my problem as forcing the application to use SSLv3 would mean it could not handle TLS connections.
  The code to specify the SSLv3 protocol is:
  SSLSocket sslSocket = (SSLSocket) socket;
  sslSocket.setEnabledProtocols(new String[] {"SSLv3"});
  One other strange issue: if instead of specifying the SSLv3 protocol using setEnabledProtocols(...) I instead specify the protocol when creating the SSLContext, the SocketException problem comes back. So if I replace:
  final SSLContext context = SSLContext.getInstance("SSL");
  with:
  final SSLContext context = SSLContext.getInstance("SSLv3");
  and remove the "sslSocket.setEnabledProtocols(new String[] {"SSLv3"})" line, I see the intermittent SocketException problem.
  All very weird. Any thoughts?

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• Problem with Require Client Certificate on on IPlanet 6.0 server

  I installed client certificate. When I connect to the server using browser, I get following error........
  You are not authorized to view this page
  You might not have permission to view this directory or page using the credentials you supplied.
  How can I run the server in Verbose mode and see exactly why this error.
  Default error file does not have any information about this rejection.
  Thanks
  Krishna

  The message is cut and paste of what client (IE) shows on the browser.
  But the Server does not show any thing in it;'s log. I don't see any activity. I have Log Verbose On.
  If I change the client certificate on to off it works fine.
  The problem is only when the client certificate is on.
  The client certificate is created using Iplanet Certificate Server as well the server certificate also generated using Iplanet Certificate Server.
  In this case I am not trying to authenticate user in the client certificate just the client certificate is valid or not.
  Thanks for the reply.
  Regards
  Krishna

• Problem using multiple Client Certificates

  Hi folks, I had (mistakenly) posted an earlier version of this question to the crypto forum.
  My problem is that I have multiple client certs in my keystore, but only one is being used as the selected certificate for client authentication for all connection�s. So, one connection works fine, the rest fail because the server doesn�t like the client cert being presented.
  I have been trying to get the JSSE to select the proper client certificate by making use of the chooseClientAlias method. (init the SSL context with a custom key manager that extends X509ExtendedKeyManager and implements the inherited abstract method X509KeyManager.chooseClientAlias(String[], Principal[], Socket))
  But, still no luck.. the JSSE is not calling in to the my version of chooseClientAlias, and it just keeps presenting the same client certificate.
  No clue why, any thoughts on how to get the JSSE to call my version of chooseClientAlias?
  Thanks!
  SSLContext sslContext = SSLContext.getInstance("TLS");
  sslContext.init(createCustomKeyManagers(Keystore, KeystorePassword),
              createCustomTrustManagers(Keystore, KeystorePassword),null);
  SSLSocketFactory factory = sslContext.getSocketFactory();
  URL url = new URL(urlString);
  URLConnection conn = url.openConnection();
  urlConn = (HttpsURLConnection) conn;
  urlConn.setSSLSocketFactory(factory);
  BufferedReader rd = new BufferedReader(new InputStreamReader(urlConn.getInputStream()));
  String line;
  while ((line = rd.readLine()) != null) {
       System.out.println(line);  }
  public class CustomKeyManager extends X509ExtendedKeyManager
      private X509ExtendedKeyManager defaultKeyManager;
      private Properties serverMap;
      public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
          SocketAddress socketAddress = socket.getRemoteSocketAddress();
          String hostName = ((InetSocketAddress)socketAddress).getHostName().toUpperCase();
          String alias = null;
          if(serverMap.containsKey(hostName)){
              alias = serverMap.getProperty(hostName.toUpperCase());
              if(alias != null && alias.length() ==0){
                  alias = null; }
          else {
              alias = defaultKeyManager.chooseClientAlias(keyType, issuers, socket);
          return alias;
  .

  Topic was correctly answered by ejp in the crypto forum..
  namely: javax.net.ssl.X509KeyManager.chooseClientAlias() is called if there was an incoming CertificateRequest, according to the JSSE source code. If there's an SSLEngine it calls javax.net.ssl.X509ExtendedKeyManager.chooseEngineClientAlias() instead.*
  You can create your own SSLContext with your own X509KeyManager, get its socketFactory, and set that as the socket factory for HttpsURLConnection.*
  Edited by: wick123 on Mar 5, 2008 10:26 AM

• Problem with client certificate based authentication

  Hello.
  We are developing an AIR application that uses client
  certificates for authentication. We have written a simple test case
  to show the problem.
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="
  http://www.adobe.com/2006/mxml"
  layout="absolute">
  <mx:Script>
  <![CDATA[
  import mx.controls.Alert;
  private function responseHandler(): void {
  Alert.show("Response received");
  ]]>
  </mx:Script>
  <mx:HTTPService id="exampleService"
  url="https://www1.aeat.es/pymes1/pacargoi.html"
  showBusyCursor="true"
  result="responseHandler()">
  </mx:HTTPService>
  <mx:Button label="Send"
  click="exampleService.send()"/>
  </mx:WindowedApplication>
  When we click on the button, it sends the request to the
  protected page and then (if you have CA emitted certificates) the
  dialog appears requesting the client certificate. And it works
  fine.
  But next time we click on the button, the dialog requesting
  the client certificate appears again.
  Is there a way to stop showing the dialog every time?
  Any help would be very appreciated.
  Thanks a lot for your support.
  Paco.

  I have just sent a Feature Request/Bug Report with the
  following text:
  "We are experiencing a problem using AIR with a server that
  requires authentication via client certificate.
  The dialog for selecting the client certificate appears every
  time that the AIR application interacts with the server (not only
  the first time).
  Steps to reproduce bug:
  1. Install Apache HTTP Server with SSL and require client
  certificate in order to authenticate.
  2. Develop an AIR Application that connects to this server
  (HTTPService or RemoteObject have been tested with the same
  result).
  3. Every time that the AIR application connect to the
  server, the dialog appears in order the user to select the client
  certificate.
  Results: This makes the AIR application unusable.
  Expected results: The dialog requesting the client
  certificate should appear the first time only."
  Thanks,
  Paco.

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• Problem in reading client certificate

  Hi,
  I am developing an web app. where client will use smart card for authentication.
  And server will read the clients certificate. All the application will run in https.
  So please guide me to develop such a system. I am using tomcat 6x and have created a server certificate by keytool.
  I am not using openssl.
  Please help me....
  Thanx in advance.

  hi
  when you pass the manual entry posting date will be 31.03.2009 and period will be 13 because when we close the year still open 4 special period to post further entries.
  Regards
  Tanmoy

• How to load a client certificate into a servlet to access a Web Service

  Hi,
  I am having the following problem:
  I am trying to use a Web Service client (Axis) within a servlet running under
  WebLogic 8.1.
  I would like to have mutual SSL-based authentication between the client and the
  server hosting the Web Service. Thus, my client has to send a certificate to the
  server.
  My problem is: how to get the certificate into the request? I know that, for example,
  the HttpsURLConnection class of WebLogic has a loadIdentity method. But I can't
  use this class.
  Is there any other method to make sure that SSL requests use my client certificates?
  By the way, I am receiving the following error message from the server:
  <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peer certificate
  s not supplied by peer>
  <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508> <Certificate
  ch
  ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  Anyone has an idea?
  Thanks for any hints,
  Zoltan Schreter
  Nokia

  Hi all,
  I have solved this problem basically by using weblogic's SSLSocketFactory instead
  of the default one used by Axis. I created a custom HttpSender (MyHttpSender)
  which uses this Factory. I then created a custom Config class which I pass to
  the constructor of Service. The Config class looks like this:
  public class MyConfig extends SimpleProvider {
  * Constructor - deploy client-side basic transports.
  public MyConfig() {
  deployTransport("java", new SimpleTargetedChain(new JavaSender()));
  deployTransport("local", new SimpleTargetedChain(new LocalSender()));
  deployTransport("http", new SimpleTargetedChain(new MyHttpSender()));
  The relevant code within MyHttpSender looks something like this:
  SSLClientInfo sslinfo = new SSLClientInfo();
  File ClientKeyFile = new File("C:/certificates/testkey.pem");
  File ClientCertsFile = new File("C:/certificates/testcert.pem");
  InputStream[] ins = new InputStream[2];
  ins[0] = new FileInputStream(ClientCertsFile);
  ins[1] = new FileInputStream(ClientKeyFile);
  String pwd = "mykeypass";
  sslinfo.loadLocalIdentity(ins[0], ins[1], pwd.toCharArray());
  javax.net.SocketFactory sockf = weblogic.security.SSL.SSLSocketFactory.getJSSE(sslinfo);
  sock = sockf.createSocket(host, port) ;
  By the way, this change also solved the other problem I posted about (not being
  able to tunnel through the https proxy).
  Cheeers,
  Zoltan Schreter
  Nokia
  "Tony" <TonyV> wrote:
  Which API's are you currently using for the SSL communication in the
  client
  side?
  Tony
  "Zoltan Schreter" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I am having the following problem:
  I am trying to use a Web Service client (Axis) within a servlet runningunder
  WebLogic 8.1.
  I would like to have mutual SSL-based authentication between the clientand the
  server hosting the Web Service. Thus, my client has to send a certificateto the
  server.
  My problem is: how to get the certificate into the request? I knowthat,
  for example,
  the HttpsURLConnection class of WebLogic has a loadIdentity method.But I
  can't
  use this class.
  Is there any other method to make sure that SSL requests use my clientcertificates?
  By the way, I am receiving the following error message from the server:
  <Apr 13, 2004 5:35:10 PM EEST> <Debug> <TLS> <000000> <Required peercertificate
  s not supplied by peer>
  <Apr 13, 2004 5:35:10 PM EEST> <Warning> <Security> <BEA-090508><Certificate
  ch
  ain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  Anyone has an idea?
  Thanks for any hints,
  Zoltan Schreter
  Nokia

• IPhone Mail app; IMAP; x509 client certificate?

  The title says it all really.
  I have an x509 client certificate happily installed in my iPhone's keychain. This certificate works correctly in Safari, allowing access to sites which demand it. When I try to collect mail from an IMAP server which also requires a client certificate, it doesn't work.
  As far as I can work out, the Mail app is not sending my client certificate when the server requests it to do so. Is this true? Is there a way to configure the Mail app to respond correctly to the server's client certificate request? Any pointers or information welcome!

  I think so.
  Actually I think I need to get the App Password for Mail on my phone. It generates the app password and I enter it into the password in the gmail setup for mail.
  The problem is that when I hit next on that page, I get the message:
  "my name" is already added" and I cannot proceed.
  Before doing this setup I deleted my gmail account by tapping the email address and hitting delete in the Mail, Contact and Calendars setup..
  but, there is something hiding in my iPhone that remembers my old gmail password (I guess) and doesn't let me proceed.
  If I enter my gmail iChain password I get the same thing.
  If i do this in airplane mode (no connection to google) i also get the same.
  I talked to an apple care person who had me reset all my settings... still the same thing.
  I am trying to avoid a gull reset of the iPhone, but that may be in the cards.
  Going to go to the apple store and ask there, but i am not hopeful.
  Barry

• How can I prevent client certificate information from being written to kjs log?

  I have an application running on iPlanet Application server 6.0 that makes an SSL connection to an external site using client certificate. Problem : Every time the connection is wrapped in a client certificate, the entire SSL handshake including the key-exchange information is automatically being logged in the kjs log. How do I prevent the kjs from writing this inormation to the log ?

  How are you making this SSL connection? Whatever library you are using must be writing to System.out().
  You could avoid logging these messages by using file logs rather than console logs. But you could probably disable these messages by working with your SSL libraries as well.

• Client Certificate Prompting

  Environment:
  Windows 2003 Server
  IIS 6.0
  Java Applets
  JVM 1.6
  I currently have IIS set to "accept client certificates" and have a valid list in my Certificate Trust List of certificates I want to accept. I also have Windows Authentication set in the event the user does not have a valid client certificate type then they will be prompted for their Windows Login. My problem is that even though they authenticate via Windows they are still being prompted for certificates by the JVM and of course there are none in IEs store.
  Is there a way to stop this or is this just a way of life.

  I think it is related to the certificate you are using: what are the available CRL's (Certificate Revocation List) in that certificate? You can see that by opening the properties of the cert. The client might want to check the CRL of your CA and has no permission
  to do it.
  You might want to check if the CRL distribution point as configured in the certification is accessible by the client or generate a different certificate with a different distribution point.
  Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be