axis-c-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Musgrave <jsmusgr...@gmail.com>
Subject Assistance running examples with ssl
Date Mon, 31 Oct 2005 17:51:18 GMT
Fred,
     Thanks.  I'm confident in the URLs --> the http version works
fine: so the machine is OK.  And I can browse the server on the 8443
port (including the java AXIS wsdl.  Plus it works )  I just wanted
some confidence that this cert whackiness is really what was going
on...  I'll now send out the openssl stuff.  I know this isn't an
openssl group, but you have to do something like this to use SSL with
AXIS-C, so if anyone can share what they're doing or critique what I'm
doing.

(The following is based upon the process described at:
http://www.churchillobjects.com/c/11201g.html)

<code>
#!/usr/bin/csh

rm -rf mkcerts
#set path = ( /usr/local/ssl/bin $path )
#set path = /usr/local/ssl/bin:$path

#setenv PATH = /usr/local/ssl/bin:$PATH
set path = ( /usr/local/ssl/bin $path )
#set path = /usr/local/ssl/bin:$path

echo $PATH

mkdir mkcerts
cd mkcerts
mkdir demoCA
cd demoCA
mkdir certs
mkdir crl
mkdir newcerts
mkdir private
touch index.txt
echo "01" > serial
cd ..

#generate the Certificate Authorities Key
openssl genrsa -out ca.key 1024
#generate create certificate with Key
openssl req -new -x509 -key ca.key -out demoCA/cacert.pem<<H_MK_CERT
US
COLORADO
AURORA
myorg
CertGroup
JASON MUSGRAVE
jsmusgrave@gmail.com
H_MK_CERT

#make client key
keytool -genkey -alias clientapp -keystore newcerts<<H_CLIENT_KEYSTORE
changeit
clientStuff
mysuborg
myorg
AURORA
COLORADO
US
yes

H_CLIENT_KEYSTORE

#make server key
keytool -genkey -alias serverapp -keystore newcerts<<H_SERVER_KEYSTORE
changeit
testmachine
mysuborg
myorg
AURORA
COLORADO
US
yes

H_SERVER_KEYSTORE

#Export the client key
keytool -keystore newcerts -certreq -alias clientapp -file
clientapp.crs<<H_EXPORT_CLIENT
changeit
H_EXPORT_CLIENT

#Export the server key
keytool -keystore newcerts -certreq -alias serverapp -file
serverapp.crs<<H_EXPORT_SERVER
changeit
H_EXPORT_SERVER

#sign the client key
openssl ca -in clientapp.crs -out clientapp.pem -keyfile ca.key<<H_SIGN_CLIENT
y
y
H_SIGN_CLIENT

#sign the server key
openssl ca -in serverapp.crs -out serverapp.pem -keyfile ca.key<<H_SIGN_SERVER
y
y
H_SIGN_SERVER

#Convert from PEM to DER
openssl x509 -in clientapp.pem -out clientapp.der -outform DER
openssl x509 -in serverapp.pem -out serverapp.der -outform DER

#import CA Cert & Keys into Keystores
keytool -keystore newcerts -alias systemca -import -file
demoCA/cacert.pem<<H_IM_1
changeit
yes
H_IM_1

#
keytool -keystore newcerts -alias clientapp -import -file clientapp.der<<H_IM_2
changeit
yes
H_IM_2

keytool -keystore newcerts -alias serverapp -import -file serverapp.der<<H_IM_3
changeit
yes
H_IM_3
</code>

Now I have a keystore with client/server certs in it.  Then I copy the
newcerts keystore to the tomcat install (which hosts JAVA AXIS) and
use remove keytool to remove client cert from it.

Then I go back and copy cacert into the certs directory and hash it. 
Since, I think this is how to make it a trusted cert.

<code>
cp cacert.pem certs
cd certs
ln -s cacert.pem `openssl x509 -noout -hash -in cacert.pem`.0
</code>


Any help would be appreciated,
Jason

Mime
View raw message