I am working on a java web app, that I will deploy on a tomcat 10 server, which requests a (smart card) certificate from a user to authenticate them (after having entered their regular user credentials). (See also this question that describes more about it.) By setting up the right tomcat server configuration, I have made my web app connect over https (on port 8443). Then, when needed, it will make an https request on another port (8444) to request the user’s certificate.
However, the issue I’m having is that the browser never prompts me to select one of the available certificates, like I’ve seen it work for others who do the same kind of thing (see this question and this site). I have tested my browser on sites like Login.gov and other government sites: it pops up the menu for me to select my certificate–so I know the issue is not my browser settings. I can even open my browser settings and view the certificates on the smart card I have connected so I know it sees them.
Currently, my server.xml has the https connectors like this:
<Connector
port="8444" secure="true" scheme="https" maxThreads="150" SSLEnabled="true"
maxParameterCount="1000" protocol="org.apache.coyote.http11.Http11NioProtocol" >
<SSLHostConfig
sslProtocol="TLSv1.2" certificateVerification="true"
truststoreFile="C:/Program Files/Java/jdk-17/lib/security/cacerts"
truststorePassword="changeit">
<Certificate
certificateKeystoreFile="path/to/keystore.jks"
certificateKeystorePassword="password" type="RSA" />
</SSLHostConfig>
</Connector>
The connector on port 8443 is nearly identical, but with certificateVerification="false".
In my java servlet, I have,
// there are various types and providers, but these were the ones that worked
KeyStore keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
// load local certificates (the certificates visible in your browser)
keyStore.load(null);
// get all the names of the available certificates
Enumeration<String> aliases = keyStore.aliases();
which lets me see the same certificates I can see from my browser settings. Then I make the request to the appropriate URL on port 8444:
URL url = new URL(certificateRequestUrl);
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setRequestMethod("GET");
Integer responseCode = connection.getResponseCode(); // error thrown here
I get the error javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate. According to this discussion, I think the error means that the server doesn’t trust the certificate presented during the SSL handshake–but it didn’t even ask me which certificate to use! I know that the URL is structured correctly because I get the expected response when certificateVerification is set to "false" on the port the request goes to.
Note: Although, the smart card I have is a temporary one–without a certificate chain–some users of this application will have a certificate chain linked back to a trusted CA. Will I need to add a user’s certificate to the server’s trust store during set up of the card with their account so that the future SSL handshakes are accepted?
I think my question is very similar to this one, but I will have multiple users needing to add their certificates to the server’s trust store during account setup, so it has to be added programmatically in java. If that is the case, how do I prompt the user to select which certificate (if multiple are available) to add to the trust store?
I know that both java and my browser can see my certificates, so why doesn’t my browser provide the popup menu to select the certificate and enter the pin (when required)? How can I get the browser to give those popups?