tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian W H Osborne <>
Subject Cleint Side Certificates
Date Wed, 22 Dec 2004 16:25:24 GMT
Dear All,

I've been trying to get client/server certificates working with tomcat 
now for a while and I'm not having much success.  I have generated 
certificates which have worked successfully with apache but not tomcat.

I decided to script what I needed to do, so hopefully if anyone can see 
a problem with what I am doing they can help!!

I've modified the servers.xml file to clientAuth="true" (btw everything 
works if it is false), and I've added the path for the key store and the 
password for the key store, other than that there is nothing unusual in 
the the config file.

The openssl.cnf file has only been modified to include valid DN enteries.

I've pasted the script I am using below.

Any help greatfully received.






echo Extracting Private Key .......
echo "Enter Private Key Password: "
stty_orig=`stty -g`
stty -echo
stty $stty_orig

DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes, 
S=Buckinghamshire, C=GB'


cd ${SSL_DIR}java

echo Using ${DN} .......

echo Generating key .......
${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore 
${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} -storepass 

echo Generating certificate request .......
${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore 
${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} -keypass 

echo Exporting key .......
${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file 
$1-exported.crt -storepass ${PASSWORD}

echo Converting key .......
openssl x509 -out $1-exported.pem -outform pem -text -in $1-exported.crt 
-inform der

${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.key

cp $1.csr ${SSL_DIR}clients/requests/
cp $1.key ${SSL_DIR}clients/keys/

cd ${SSL_DIR}clients

echo Signing server-side certificate .......
openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr

echo Converting certificate .......
openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem

echo Signing client-side certificate
openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key -out 

cd ${SSL_DIR}java

echo Updating root certificate in keystore .......
${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA"  -keystore 
${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass 

echo Updating server-side certificate in keystore
${KEYTOOL} -import -trustcacerts -alias tomcat -keystore ${KEYSTORE} 
-storetype ${KEYSTORE_TYPE} -file ${SSL_DIR}clients/completed/$1.pem 
-storepass ${PASSWORD}

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message