Hi everyone.
 
I'm in the process of helping our application developers figure out an issue.
 
In summary:
 
We have an application that lives on the vxml app server (tomcat).  This application is required to hit a webservice from a third party using https.  We are required to use SSL obvisouly and we are also required to present a .pfx (digitl certificate) when challenged.
 
We have the digital cert and all the certificate chains loaded up properly (at least I think we do).  I can do a list on the keystore and see my personal key entry and the cert chains.  A packet capture proves we get the SSL handshake started but when challenged for the cert I don't think tomcat knows what to do or which certificate to present to the third party.
 
This writes an error out in the STD out log in the Tomcat folder complaining about a 403 failure.  Which it's probably a 403.4 or 403.7 (SSL required) error.  I've loaded the certs up in the windows key store and can hit the same URL from the IE browser.  IE prompts me to select the cert I want to use when challenged and then SSL starts and I can see the data from the webservice.
 
So - is two step or mutual SSL even possible on CVP (tomcat) version 8.5.1(ES4)?  If so, is there any other way to debug SSL and figure out why tomcat can't or does not present the correct cert?
 
Thanks in advance,
 
Jason

What are the commands you used to import the security certs into tomcat. Did you import a .cer ?


 
Hi.
 
We were issued a .pfx file.  In that file is the private key, and the certificate chain.  We point our keytore to a specific keystore using the java options in the tomcat confing.
 
Here is the command I used to import the file:
 
keytool -importkeystore -srckeystore C:\mycert.pfx -srcstoretype PKCS12 -destkeystore C:\cvp.keystore

Everything seemed to work with the keytool.  I can do a list on the keystore and the private key entry is there.

Hi.
 
Yes, the list command shows all the certs and no issues.
 
I actually just got word back from Cisco TAC that mutual SSL is not even supported on tomcat/cvp 8.5(1) ES4 yet.  I'm not sure I buy that answer yet but I will keep digging.