tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark W. Webb" <>
Subject Re: tomcat ssl with client cerfiticates - solution
Date Wed, 16 Apr 2003 11:32:15 GMT
I am working on a mini-HOWTO on tomcat 4.1.24/apache 2.0.45/openssl 
0.9.7b that performs client authentication.  I hope to have it posted in 
a day or two.  I have tested the HOWTO on RH 8, and Solaris 9.  

Note: there is a bug in tomcat 4.1.24 in the JkCoyoteHandler.action 
method.  I have a fixed tomcat-jk2.jar file if you are interested.

There seems to be a __ctype_b linking problem with mod_ssl and RH9 I am 
trying to figure out.

Hough, Adriaan wrote:

>hi all
>yes, i've got tomcat standalone running with ssl and client certificates.
>i've seen a lot of questions about this, but no working solutions, so i
>thought i'd share mine with you. keep in mind, though, that i'm an ssl
>novice, so some of the things i say might not be entirely correct. but hey,
>it works!
>the way i see it, is there is basically two parties involved in the
>scenario: the server, and the client. since we're implementing ssl with
>client certificates, both the server and the client should have certificates
>to prove their identities. now, unless the client simply takes the server's
>certificate on face value, and the server the same for the client, we need
>to introduce an additional entity (or two): the certification authority. the
>ca is supposed to be a third party that can vouch for the authenticity of a
>certificate. thus, the client may require the server's certificate to have
>been signed by a specific ca, and the server may in return require the
>client's certificate to have been signed by (possibly) another ca.
>i'll only describe the simplest scenario, where the client trusts any
>certificate that the server chooses to pass to it. this will leave us with
>three parties: the server (with its certificate), the client (with its
>certificate) and the ca that the server trusts to verify client
>scenario: client trusts everybody
>note: i've got jdk 1.3.1, tomcat 4.1.18, jsse 1.0.3_01 and openssl 0.9.6g
>installed on my system.
>first, create a self signed certificate to identify your server:
>1) execute "keytool -genkey -alias tomcat -keyalg RSA -keystore
>/anywhere/server.keystore" (tomcat requires the password to be "changeit").
>next, you need to create the ca:
>2) execute "openssl req -new -newkey rsa:512 -nodes -out ca.req -keyout
>3) execute "openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.req
>-out ca.crt".
>now you can create the client's certificates, and have them signed by the
>4) execute "openssl req -new -newkey rsa:512 -nodes -out client.req -keyout
>5) execute "openssl x509 -CA ca.crt -CAkey ca.key -req -in client.req -out
>client.crt -CAcreateserial"
>tomcat reads the list of trusted ca's from a file called
><$JAVA_HOME/jre/lib/security/cacerts>. to add our ca to this list, you will
>need to do the following:
>6) execute "keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts
>-file ca.crt -alias ClientCA" (the default installed password is
>all that remains, is to configure tomcat for ssl, and tell it where to find
>its certificates:
>7) modify the server.xml as described at
>8) change the ssl connector as follows: <Factory
>clientAuth="true" protocol="TLS" keystoreFile="/anywhere/server.keystore"/>.
>that's it. now, whenever a client connects to the server, the server will
>send its own certificate (from </anywhere/server.keystore>) along with a
>list describing all ca's that it trusts (from
><$JAVA_HOME/jre/lib/security/cacerts>). the client should then return a
>certificate (client.crt) that was signed by one of these ca's.
>to verify your setup, start tomcat with JAVA_OPTS="",
>and do the following:
>*) execute "openssl s_client -cert client.crt -key client.key -connect
>note: i was unable to test this with internet explorer 5.50 - it never used
>the certificates i imported (both ca & client certificates, converted with
>"openssl x509 -in ca.crt -out ieca.crt -outform DER" etc.).
>the tomcat configuration described above will require all clients to present
>certificates for all resources on the server. if you require client
>certificates for only some resources, you should rather set
>clientAuth="false" (step 8), and specify "CLIENT_CERT" as login method in
>the web application's deployment descriptor (described in the servlet
>adriaan hough
>The information in this e-mail is confidential and is intended solely for
>the addressee. If you have received this e-mail in error, you are hereby
>notified that any review, copying or distribution is strictly prohibited.
>Please inform the sender immediately and destroy the original. Siemens
>Limited and/or its subsidiaries accepts no liability of whatever nature for
>any loss, liability, damage or expense resulting directly or indirectly from
>access to this message and any files or links that are attached hereto.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message