Interesting note about Tomcat and SSL (when not using the APR): when using log4j in tomcat (https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/CreateUsefulContainerLogs) log4j.logger.org.apache.tomcat.util.net.jsse=DEBUG will output the certificates from the request in the logs. (very detailed!) --Velpi