tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Palmer <>
Subject SSL Client authentication with standalone Tomcat
Date Tue, 26 Feb 2002 10:57:51 GMT
I'm trying to set up for a simple project client-authentication and CA
abilities, using standalone tomcat and openssl. I'm not having
luck. The short version is, when I enable clientAuth, I am unable to
connect to the server, getting various messages (in Mozilla 0.9.8, I
get no error messages but the page will not load, using openssl
s_client I get a write error). 

Forgive me in advance for this long message, but my hope is that by
explicitly stating what I'm doing, it will be easy for someone more
experienced to see where I'm going wrong. I've spent much of the last
2 days searching online for information and trying different
approaches; most of the problems/solutions don't give a lot of details

I've done the following:

Step 1: Generate the tomcat request for certificate
        keytool -genkey -alias tomcat -keyalg RSA

        keytool -certreq -alias tomcat -file my.csr

Step 2: Generate the ca certificate
        openssl req -new -newkey rsa:512 -nodes -out ca.req \
                    -keyout ca.key
        openssl x509 -trustout -signkey ca.key -days 365  \
                     -req -in ca.req -out ca.crt

Step 3: Sign the tomcat request to generate tomcat certificate 
        openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
                     -out my.crt -req -CAcreateserial

Step 4: Import both into my keystore
        keytool -import -file ca.crt -alias RootCert

        keytool -import -file my.crt -alias tomcat

I can then stop and restart tomcat, and non-client-authenticated https
works. I then go on to

Step 5: Generate a client certificate
        openssl req -new -newkey rsa:512 -nodes \
                    -out client.req -keyout client.key

        openssl x509 -CA ca.crt -CAkey ca.key \
                     -req -in client.req \
                      -out client.crt

I then enable clientAuth="true", and try to connect to tomcat using
the openssl s_client:
        openssl s_client -cert client.crt -key client.key \
                         -connect localhost:8443
and get the following output:
depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit CA/
verify error:num=19:self signed certificate in certificate chain
verify return:0

Any ideas? Or ideas on how to debug this? (I'm coming up against a
deadline, so any hints much appreciated)

Brian Palmer
"Whoever fights monsters should see to it that in the process he does
not become a monster. And when you look long into an abyss, the abyss
also looks into you"  - Nietzsche

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message