tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian W H Osborne <josbo...@imsmaxims.com>
Subject Cleint Side Certificates
Date Wed, 22 Dec 2004 16:25:24 GMT
Dear All,

I've been trying to get client/server certificates working with tomcat 
now for a while and I'm not having much success.  I have generated 
certificates which have worked successfully with apache but not tomcat.

I decided to script what I needed to do, so hopefully if anyone can see 
a problem with what I am doing they can help!!

I've modified the servers.xml file to clientAuth="true" (btw everything 
works if it is false), and I've added the path for the key store and the 
password for the key store, other than that there is nothing unusual in 
the the config file.

The openssl.cnf file has only been modified to include valid DN enteries.

I've pasted the script I am using below.

Any help greatfully received.

Thanks


Julian


#!/bin/sh

SSL_DIR=/usr/share/ssl/

JAVA_BIN=/usr/java/j2sdk1.4.2_04/jre/bin/
KEYTOOL=${JAVA_BIN}keytool
KEYSTORE_TYPE=jks
KEYSTORE=${SSL_DIR}java/$1-keystore.${KEYSTORE_TYPE}

echo Extracting Private Key .......
echo "Enter Private Key Password: "
stty_orig=`stty -g`
stty -echo
read PASSWORD
stty $stty_orig

DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes, 
S=Buckinghamshire, C=GB'

CACERT=${SSL_DIR}imscacert.pem

cd ${SSL_DIR}java

echo Using ${DN} .......

echo Generating key .......
${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore 
${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} -storepass 
${PASSWORD}

echo Generating certificate request .......
${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore 
${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} -keypass 
${PASSWORD}

echo Exporting key .......
${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file 
$1-exported.crt -storepass ${PASSWORD}

echo Converting key .......
openssl x509 -out $1-exported.pem -outform pem -text -in $1-exported.crt 
-inform der

${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.key

cp $1.csr ${SSL_DIR}clients/requests/
cp $1.key ${SSL_DIR}clients/keys/

cd ${SSL_DIR}clients

echo Signing server-side certificate .......
openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr

echo Converting certificate .......
openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem

echo Signing client-side certificate
openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key -out 
./client-side/$1.p12

cd ${SSL_DIR}java

echo Updating root certificate in keystore .......
${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA"  -keystore 
${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass 
${PASSWORD}

echo Updating server-side certificate in keystore
${KEYTOOL} -import -trustcacerts -alias tomcat -keystore ${KEYSTORE} 
-storetype ${KEYSTORE_TYPE} -file ${SSL_DIR}clients/completed/$1.pem 
-storepass ${PASSWORD}

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message