tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tamas Suto" <>
Subject [URGENT] Problems getting SSL 2-Way Authentication to work
Date Fri, 23 Jan 2004 00:51:21 GMT
To whomever can help:
I'm trying to get a 2-way authentication mechanism working for Tomcat
4.1.29. I have browsed many archives and guides and have come up with some
steps of commands to try and get the whole business up and running (see
further down).
I basically have a server and a client and I want the server to present a
certificate to the client and vice versa, which the server then accepts and
the user gains access to the protected resources.
I am using an own CA (i.e. a self-signed one), which I employ to sign both
the server and the client certificates.
My problem is that even though the server seems to present to me the correct
certificate when I examine it (i.e. correctly signed by my own CA), I get an
error saying the following (using Mozilla to access the site):
"Could not establish an encrypted connection, because certificate presented
by <server> is invalid or corrupted. Error Code: -8182"
I looked this up in the Mozilla error codes database and it had the
annotation "Peer's certificate has an invalid signature".
I am really confused as to why this doesn't work. The exact steps I have
taken for the whole process are as follows:



1. Create directory "certificates" and subdirectories

- ca

- server

- client


2. Create private key and certificate request for our own CA: (from root

openssl req -new -newkey rsa:1024 -nodes -out certificates/ca/ca.csr -keyout
certificates/ca/ca.key -config /homes/ts200m/certificates/openssl.cnf

Country Name [C] = GB

State/Province Name [ST] = London

Locality Name [L] = London

Organization Name [O] = Imperial College London

Organizational Unit Name [OU] = London e-Science Centre

Common Name [CN] =

EMail Address [Email] =

Challenge Password = changeit


3. Create our CA's self-signed certificate:

openssl x509 -trustout -signkey certificates/ca/ca.key -days 365 -req -in
certificates/ca/ca.csr -out certificates/ca/ca.pem

cp certificates/ca/ca.pem certificates/ca/ca.crt

vim certificates/ca/ca.crt

edit "ca.crt" so that strings "TRUSTED CERTIFICATE" read "CERTIFICATE"


4. Copy JDK Certificate Authorities Keystore into Tomcat root dir:

cp $JAVA_HOME/jre/lib/security/cacerts tomcat/

chmod 0755 tomcat/cacerts


5. Import CA certificate into "cacerts":

keytool -import -trustcacerts -keystore tomcat/cacerts -file
certificates/ca/ca.pem -alias LeSC-CA

Keystore Password = changeit

Should get "Certificate was added to keystore" message


6. Create file to hold CA's serial numbers:

echo "02" > certificates/ca/





1. Create keystore for server:

(This creates a keystore, as well as a self-signed certificate with the
details provided)

keytool -genkey -alias server -dname ",
O=Imperial College London, OU=London e-Science Centre, L=London, S=London,
C=GB" -keysize 1024 -keystore certificates/server/server.ks -keypass
changeit -storepass changeit -storetype JKS -validity 365


2. Create certificate request for web server:

keytool -certreq -keystore certificates/server/server.ks -storepass changeit
-alias server -file certificates/server/server.csr


3. Sign certificate request with own CA:

openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key
-CAserial certificates/ca/ -req -in certificates/server/server.csr
-out certificates/server/server.crt -days 365


4. Import CA certificate into keystore as root certificate: (don't know if
-trustcacerts is required...)

keytool -import -alias root -keystore certificates/server/server.ks
-storepass changeit -trustcacerts -keyalg RSA -file certificates/ca/ca.pem

Should see message "Certificate was added to keystore" after import


5. Import signed server certificate into server keystore:

(This should replace the self-signed cerificate with alias "server" that was
created when the keystore was created)

keytool -import -alias server -keystore certificates/server/server.ks
-storepass changeit -keyalg RSA -file certificates/server/server.crt

Should see message "Certificate reply was installed in keystore" after


6. Move keystore file to Tomcat's root dir:

mv certificates/server/server.ks tomcat/

chmod 0755 tomcat/server.ks


7. Set up SSL Connector for Tomcat (edit file tomcat/conf/server.xml):

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 55556 -->

<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"

port="55556" minProcessors="5" maxProcessors="75"

enableLookups="true" acceptCount="100" debug="0"

scheme="https" secure="true"

useURIValidationHack="false" disableUploadTimeout="true">

<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"

clientAuth="true" protocol="TLS" 

keystoreFile="server.ks" keystorePass="changeit"

truststoreFile="cacerts" truststorePass="changeit"/>






1. Create a client certificate request

openssl req -new -newkey rsa:512 -nodes -out certificates/client/client1.req
-keyout certificates/client/client1.key -config

Country Name = GB

State/Province Name = London

Locality Name = London

Organization Name = Imperial College

Organizational Unit Name = Department of Computing

Common Name = Tamas Suto

Email Address =

Challenge Password = changeit


2. Have CA sign client cerificate:

openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key
-CAserial certificates/ca/ -req -in certificates/client/client1.req
-out certificates/client/client1.pem -days 365


3. Generate PKCS12 file containing client key and certificate:

openssl pkcs12 -export -clcerts -in certificates/client/client1.pem -inkey
certificates/client/client1.key -out certificates/client/client1.p12 -name
"EPIC Client Certificate"

Export Password = changeit


4. Import PKCS12 certificate file into browser and use as client certificate
and key


If anyone could help me spot where something has gone wron, I would be most
thankful. I have already spent weeks trying to get this working without any

Thanks for any help in advance.

Best regards,

Tamas Suto

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message