Internet Explorer and client authetication

Question

I would like to have Intenet Explorer allow me to choose an identity when connecting to a client-authentication enabled web server.

Currently I have my Tomcat web server configured to use client authentication. I also have an ssl client accessing a keystore and successfully connecting to the web server. However when trying to get IE 7 to successfully connect to the web server the methodology failed. I did the following:

I've created a pkcs12 file containing a private key as well as the associated digital certificate (it's currently self signed).

I then went into IE Tools-Internet-Options-Content and imported the pkcs12 file into the personal certificate box. When the browser attempts to make a connection with the web server, I get a popup message entitled "Choose A Digital Certificate"

HOWEVER the View-Certificate button is grayed out. I presume that this button should have allowed me to choose the certificate associated with the key-pair that I imported.

1. Why is it grayed out?
2. Is the methodology for what I'm trying to accomplish all together different?

thanks, Mike

Answer 1

I'll now answer my own question as I have found the problem.

I did not yet update the web server trust store with the CA certificate (same certificate as it is self signed). I finally did this but only out of desperation as my only aim at this point was to be able to choose a certificate but not necessarily have the connection succeed.

Evidently the handshake workflow is such that IE knows which certificates the web server will trust so that if there are no matches, no certificate option is shown. I would have thought that IE would allow you to pick any certificate and if it was not trusted by the web server then the connection would simply fail. Interesting.