I am working on a java web app, that I will deploy on a tomcat 10 server, which requests a (smart card) certificate from a user to authenticate them (after having entered their regular user credentials). (See also this question that describes more about it.) By setting up the right tomcat server configuration, I have made my web app connect over https (on port 8443). Then, when needed, it will make an https request on another port (8444) to request the user's certificate.
However, the issue I'm having is that the browser never prompts me to select one of the available certificates, like I've seen it work for others who do the same kind of thing (see this question and this site). I have tested my browser on sites like Login.gov and other government sites: it pops up the menu for me to select my certificate--so I know the issue is not my browser settings. I can even open my browser settings and view the certificates on the smart card I have connected so I know it sees them.
Currently, my server.xml has the https connectors like this:
<Connector
port="8444" secure="true" scheme="https" maxThreads="150" SSLEnabled="true"
maxParameterCount="1000" protocol="org.apache.coyote.http11.Http11NioProtocol">
<SSLHostConfig
sslProtocol="TLSv1.2" certificateVerification="true"
truststoreFile="C:/Program Files/Java/jdk-17/lib/security/cacerts"
truststorePassword="changeit">
<Certificate
certificateKeystoreFile="path/to/keystore.jks"
certificateKeystorePassword="password" type="RSA"/>
</SSLHostConfig>
</Connector>
The connector on port 8443 is nearly identical, but with certificateVerification="false". (Update 6-17-24: I have tried certificateVerification="required" instead of "true", and "optional" or "none" instead of "false", but no successful results.)
In my java servlet, I have,
// there are various types and providers, but these were the ones that worked
KeyStore keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
// load local certificates (the certificates visible in your browser)
keyStore.load(null);
// get all the names of the available certificates
Enumeration<String> aliases = keyStore.aliases();
which lets me see the same certificates I can see from my browser settings. (Update 6-17-24: after this past weekend, I now can't see the list of certificates anymore...and I have no idea why.) Then I make the request to the appropriate URL on port 8444:
URL url = new URL(certificateRequestUrl);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setRequestMethod("GET");
Integer responseCode = connection.getResponseCode(); // error thrown here
I get the error javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate. According to this discussion, I think the error means that the server doesn't trust the certificate presented during the SSL handshake--but it didn't even ask me which certificate to use! I know that the URL is structured correctly because I get the expected response when certificateVerification is set to "false" on the port the request goes to.
Update 6-18-2024: I added the Java Option (in Tomcat) -Djavax.net.debug=ssl and have seen some more details:
javax.net.ssl|ERROR|F3|https-jsse-nio-8444-exec-6|2024-06-18 13:29:13.491 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE): Empty client certificate chain (
"throwable" : { javax.net.ssl.SSLHandshakeException: Empty client certificate chain at ... }
)
javax.net.ssl|WARNING|F3|https-jsse-nio-8444-exec-6|2024-06-18 13:29:13.494 MDT|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
javax.net.ssl|DEBUG|E2|https-jsse-nio-8443-exec-1|2024-06-18 13:29:13.497 MDT|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "bad_certificate"
}
)
javax.net.ssl|ERROR|E2|https-jsse-nio-8443-exec-1|2024-06-18 13:29:13.500 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE): Received fatal alert: bad_certificate (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at ... }
)
I don't understand why this doesn't see the certificates, since I can view and download them from my browser.
Note: Although, the smart card I have is a temporary one--without a certificate chain--some users of this application will have a certificate chain linked back to a trusted CA. Will I need to add a user's certificate to the server's trust store during set up of the card with their account so that the future SSL handshakes are accepted?
I think my question is very similar to this one, but I will have multiple users needing to add their certificates to the server's trust store during account setup, so it has to be added programmatically in java. If that is the case, how do I prompt the user to select which certificate (if multiple are available) to add to the trust store? In some cases, the user's certificate will not have a chain, while for other users, it may have a certificate chain and the root may need to be added.
I know that both java and my browser can see my certificates, so why doesn't my browser provide the popup menu to select the certificate and enter the pin (when required)? How can I get the browser to give those popups?
We finally found the solution! Essentially, the problem was that the smart cards we are using do not contain the certificate chain. To authenticate users via certificates, you just need to add the issuer's certificate in the truststore, not the card's certificate itself (like we had been trying). In other words, you can't say "I trust myself, so everyone else should trust me"--someone else has to say that you are trusted. So, we got the card issuer's certificate and add it to the server's truststore.
We also changed server.xml like this:
<Connector
port="8444" secure="true" scheme="https" maxThreads="150" SSLEnabled="true"
maxParameterCount="1000" protocol="org.apache.coyote.http11.Http11NioProtocol">
<SSLHostConfig
sslProtocol="TLS" certificateVerification="required"
truststoreFile="path/to/truststore"
truststorePassword="password">
<Certificate
certificateKeystoreFile="path/to/keystore.jks"
certificateKeystorePassword="password" type="RSA"/>
</SSLHostConfig>
</Connector>
Note that certificateVerification="required" is a critical change.
The error javax.net.ssl.SSLHandshakeException: Empty client certificate chain simply means that the certificate on the smart card was received, but there was no certificate chain, or the next certificate in the chain was not found (in the server's truststore, etc.).
Also, note that this solution did not use any Java like I had described in my question. This configuration requires all users who access this server to present an acceptable certificate before allowing them any access. This may not be the end goal, but can help you to get started (other things in Java or in the web.xml may need to be configured for additional control of the authentication process).