Notice: This post is more than a year old. It may be outdated.
In order to accept Estonian ID card, Tomcat needs to be configured to accept client side certificates. But before that, SSL needs to be configured.
Setting up client side authentication
First you need all SK’s root certificates.
SK (Certification Centre, legal name AS Sertifitseerimiskeskus) is Estonia’s primary and currently the only certification authority (CA), providing certificates for authentication and digital signing to national identity documents (ID-card, residence permit, Digi-ID, Mobiil-ID).
Add these certificates to your keystore.
For each import, you will be asked for the keystore password and your confirmation on whether you trust this certificate or not.
Modify your SSL connector element in the server.xml file.
You need to change clientAuth to true and set the truststoreFile path and password. That’s all for Tomcat configuration. Now you need to enable client side authentication from your applicaiton. The following is a sample web.xml:
If you wish to get information about the client or server certificates in your application, then you can use the following snippet.
At this point you’re able to read client side certificates in your web app. The only thing left to do is to make sure the certificate presented by the client has not revoked by the CA. To accomplish that you’re going to have to keep a certificate revocation list (CRL) or make an OCSP (online certificate status protocol) request. These topics will be discussed in a future article.