tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tamas Suto" <tamas.s...@imperial.ac.uk>
Subject [URGENT] Problems getting SSL 2-Way Authentication to work
Date Fri, 23 Jan 2004 00:51:21 GMT
To whomever can help:
 
I'm trying to get a 2-way authentication mechanism working for Tomcat
4.1.29. I have browsed many archives and guides and have come up with some
steps of commands to try and get the whole business up and running (see
further down).
 
I basically have a server and a client and I want the server to present a
certificate to the client and vice versa, which the server then accepts and
the user gains access to the protected resources.
 
I am using an own CA (i.e. a self-signed one), which I employ to sign both
the server and the client certificates.
 
My problem is that even though the server seems to present to me the correct
certificate when I examine it (i.e. correctly signed by my own CA), I get an
error saying the following (using Mozilla to access the site):
 
"Could not establish an encrypted connection, because certificate presented
by <server> is invalid or corrupted. Error Code: -8182"
 
I looked this up in the Mozilla error codes database and it had the
annotation "Peer's certificate has an invalid signature".
 
I am really confused as to why this doesn't work. The exact steps I have
taken for the whole process are as follows:
 
 
==================

SETTING UP OWN CA

==================

1. Create directory "certificates" and subdirectories

- ca

- server

- client

 

2. Create private key and certificate request for our own CA: (from root
dir)

openssl req -new -newkey rsa:1024 -nodes -out certificates/ca/ca.csr -keyout
certificates/ca/ca.key -config /homes/ts200m/certificates/openssl.cnf

Country Name [C] = GB

State/Province Name [ST] = London

Locality Name [L] = London

Organization Name [O] = Imperial College London

Organizational Unit Name [OU] = London e-Science Centre

Common Name [CN] = ca.lesc.ic.ac.uk

EMail Address [Email] = lesc@imperial.ac.uk

Challenge Password = changeit

 

3. Create our CA's self-signed certificate:

openssl x509 -trustout -signkey certificates/ca/ca.key -days 365 -req -in
certificates/ca/ca.csr -out certificates/ca/ca.pem

cp certificates/ca/ca.pem certificates/ca/ca.crt

vim certificates/ca/ca.crt

edit "ca.crt" so that strings "TRUSTED CERTIFICATE" read "CERTIFICATE"

 

4. Copy JDK Certificate Authorities Keystore into Tomcat root dir:

cp $JAVA_HOME/jre/lib/security/cacerts tomcat/

chmod 0755 tomcat/cacerts

 

5. Import CA certificate into "cacerts":

keytool -import -trustcacerts -keystore tomcat/cacerts -file
certificates/ca/ca.pem -alias LeSC-CA

Keystore Password = changeit

Should get "Certificate was added to keystore" message

 

6. Create file to hold CA's serial numbers:

echo "02" > certificates/ca/ca.srl

 

======================

SETTING UP WEB SERVER

======================

1. Create keystore for server:

(This creates a keystore, as well as a self-signed certificate with the
details provided)

keytool -genkey -alias server -dname "CN=epic-server.lesc.ic.ac.uk,
O=Imperial College London, OU=London e-Science Centre, L=London, S=London,
C=GB" -keysize 1024 -keystore certificates/server/server.ks -keypass
changeit -storepass changeit -storetype JKS -validity 365

 

2. Create certificate request for web server:

keytool -certreq -keystore certificates/server/server.ks -storepass changeit
-alias server -file certificates/server/server.csr

 

3. Sign certificate request with own CA:

openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key
-CAserial certificates/ca/ca.srl -req -in certificates/server/server.csr
-out certificates/server/server.crt -days 365

 

4. Import CA certificate into keystore as root certificate: (don't know if
-trustcacerts is required...)

keytool -import -alias root -keystore certificates/server/server.ks
-storepass changeit -trustcacerts -keyalg RSA -file certificates/ca/ca.pem

Should see message "Certificate was added to keystore" after import

 

5. Import signed server certificate into server keystore:

(This should replace the self-signed cerificate with alias "server" that was
created when the keystore was created)

keytool -import -alias server -keystore certificates/server/server.ks
-storepass changeit -keyalg RSA -file certificates/server/server.crt

Should see message "Certificate reply was installed in keystore" after
import

 

6. Move keystore file to Tomcat's root dir:

mv certificates/server/server.ks tomcat/

chmod 0755 tomcat/server.ks

 

7. Set up SSL Connector for Tomcat (edit file tomcat/conf/server.xml):

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 55556 -->

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"

port="55556" minProcessors="5" maxProcessors="75"

enableLookups="true" acceptCount="100" debug="0"

scheme="https" secure="true"

useURIValidationHack="false" disableUploadTimeout="true">

<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"

clientAuth="true" protocol="TLS" 

keystoreFile="server.ks" keystorePass="changeit"

truststoreFile="cacerts" truststorePass="changeit"/>

</Connector>

 

=====================

SET UP AN SSL CLIENT

=====================

1. Create a client certificate request

openssl req -new -newkey rsa:512 -nodes -out certificates/client/client1.req
-keyout certificates/client/client1.key -config
/homes/ts200m/certificates/openssl.cnf

Country Name = GB

State/Province Name = London

Locality Name = London

Organization Name = Imperial College

Organizational Unit Name = Department of Computing

Common Name = Tamas Suto

Email Address = ts200m@doc.ic.ac.uk

Challenge Password = changeit

 

2. Have CA sign client cerificate:

openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key
-CAserial certificates/ca/ca.srl -req -in certificates/client/client1.req
-out certificates/client/client1.pem -days 365

 

3. Generate PKCS12 file containing client key and certificate:

openssl pkcs12 -export -clcerts -in certificates/client/client1.pem -inkey
certificates/client/client1.key -out certificates/client/client1.p12 -name
"EPIC Client Certificate"

Export Password = changeit

 

4. Import PKCS12 certificate file into browser and use as client certificate
and key

 

If anyone could help me spot where something has gone wron, I would be most
thankful. I have already spent weeks trying to get this working without any
success.

Thanks for any help in advance.

Best regards,

Tamas Suto


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message