httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tina Exner <tex...@picturesafe.de>
Subject Re: [users@httpd] Export CACertificate to Tomcat
Date Fri, 06 Aug 2010 08:27:36 GMT

thank you very mutch for your reply!

that works for me!

  :-)


Am 05.08.2010 17:41, schrieb ravi kumar:
>
> Hi,
>
> Confirm if u want certificate for apache or tomcat?
> If it is apache then "filename.crt" file will work, but if it is for 
> tomcat then u will  need
> "filename.keystore" is required.
>
> Below command is used to generate .key file in Linux using phase key
>
> openssl genrsa -des3 1024 > filename.key
>
>
> Below command is used to generate csr file in Linux
>
> openssl req -new -key /root/csr/filename.key > filename.csr
>
>
> ==========================================
>
> *Step 1:* Generate a keystore in pkcs12 format using the Certificate 
> (.crt) and the Private Key (.key) files
>
> *openssl pkcs12 -in <yourfile.crt> -inkey <yourfile.key> -export -out 
> <keystore name> -name tomcat*
>
> The keystore file will be generated into the folder where OpenSSL 
> binary is located
>
> *Step 2: *Once the keystore is generated, configure the SSL factory in 
> server.xml file to use it
>
>
> *Example:*
>
> * *
>
> <clientAuth="false" sslprotocol="TLS"* 
> *keystoreFile="C:\Program\tomcat/keystore" keystorePass="mypassword" 
> truststorePass="mypassword"* *keystoreType="pkcs12" />
>
>
>
>
> Note :- Sometimes providerroot file is required.
> Ex. If i purchased my certificate from "thawte" then i will
> require "thawteroot.csr" and will merge this with my "filename.csr" 
> and install on the server.
>
>
> Hope above solution works for you.
>
>
> Thanks,
> Ravi
>
>
> --- On *Thu, 5/8/10, Tina Exner /<texner@picturesafe.de>/* wrote:
>
>
>     From: Tina Exner <texner@picturesafe.de>
>     Subject: Re: [users@httpd] Export CACertificate to Tomcat
>     To: users@httpd.apache.org
>     Date: Thursday, 5 August, 2010, 3:49 PM
>
>
>     did nobody know a solution for this problem?
>
>
>>     hi all,
>>
>>     we have a nexus multiid server for certificate authentication.
>>     i try to pass the client smartcard certificates from apache to
>>     tomcat server.
>>     the tomcat talks to the nexus and the authentication take effect.
>>
>>     when i try to export the client ca certificate to the tomcat server
>>      i get the following errors:
>>
>>     [Mon Aug 02 15:36:40 2010] [error] [client] Certificate
>>     Verification: Error (20): unable to get local issuer certificate
>>     [Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation
>>     handshake failed: Not accepted by client!?
>>
>>     @Firefox:
>>     (Fehlercode: ssl_error_unknown_ca_alert)
>>
>>
>>     this is my ssl configuration:
>>
>>     <IfModule ssl_module>
>>               SSLVerifyClient none
>>               SSLVerifyDepth 5
>>
>>               #SSLOptions +ExportCertData +StrictRequire +StdEnvVars
>>     +FakeBasicAuth
>>               SSLOptions +ExportCertData
>>
>>               #SSLCACertificateFile conf/ssl/Certificate.cer
>>
>>     </IfModule>
>>
>>     <Location /nexus>
>>                     SSLVerifyClient         require
>>                     SSLVerifyDepth          5
>>
>>                     #SSLCACertificateFile   
>>     /ps/apache2.2/testsystem1/conf/ssl/Certificate.crt
>>                     #SSLOptions             +ExportCertData
>>     +StrictRequire +StdEnvVars +FakeBasicAuth
>>                     SSLOptions              +ExportCertData +StdEnvVars
>>                     #SSLRequireSSL
>>     </Location>
>>
>>
>>     my jk.conf:
>>
>>       JkExtractSSL          On
>>       JkHTTPSIndicator      HTTPS
>>       JkSESSIONIndicator    SSL_SESSION_ID
>>       JkCIPHERIndicator     SSL_CIPHER
>>       JkCERTSIndicator      SSL_CLIENT_CERT
>>       JkEnvVar              SSL_CLIENT_CERT SSL_CLIENT_CERT
>>       JkOptions             +ForwardSSLCertChain
>>
>>
>>     i use apache 2.2.13-3 and openssl 0.9.8a.
>>
>>     Any hints on what might have gone wrong will be highly useful.
>>
>>     regards
>>     Tin
>>
>

Mime
View raw message