tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian W H Osborne <josbo...@imsmaxims.com>
Subject Re: Cleint Side Certificates
Date Thu, 23 Dec 2004 12:20:01 GMT
Bill Barker wrote:
> "Julian W H Osborne" <josborne@imsmaxims.com> wrote in message 
> news:41C99FF4.80509@imsmaxims.com...
> 
>>Dear All,
>>
>>I've been trying to get client/server certificates working with tomcat now 
>>for a while and I'm not having much success.  I have generated 
>>certificates which have worked successfully with apache but not tomcat.
>>
>>I decided to script what I needed to do, so hopefully if anyone can see a 
>>problem with what I am doing they can help!!
>>
>>I've modified the servers.xml file to clientAuth="true" (btw everything 
>>works if it is false), and I've added the path for the key store and the 
>>password for the key store, other than that there is nothing unusual in 
>>the the config file.
>>
> 
> 
> Well, that's your problem then ;-).  You need to configure your truststore 
> to tell Tomcat how to validate client certs.  For TC 5.x.x, you need to add 
> truststoreFile="/path/to/trust.store" and 
> truststorePass="<your-password-here>" to your <Connector> element in 
> server.xml.
>

Okay, I'm using version 4.1.29.  I've added in truststoreFile and 
truststorePass.  I've pointed truststoreFile at the same keystore as I'm 
using for keystoreFile.  But I'm still having a problem.  If I use 
Firefox to test it I get "Could not establish an encrypted connection 
because your certificate was rejected by ...."

I have imported the client side cert into firefox.

Still stumped!

Thanks in advance

Julian



> 
>>The openssl.cnf file has only been modified to include valid DN enteries.
>>
>>I've pasted the script I am using below.
>>
>>Any help greatfully received.
>>
>>Thanks
>>
>>
>>Julian
>>
>>
>>#!/bin/sh
>>
>>SSL_DIR=/usr/share/ssl/
>>
>>JAVA_BIN=/usr/java/j2sdk1.4.2_04/jre/bin/
>>KEYTOOL=${JAVA_BIN}keytool
>>KEYSTORE_TYPE=jks
>>KEYSTORE=${SSL_DIR}java/$1-keystore.${KEYSTORE_TYPE}
>>
>>echo Extracting Private Key .......
>>echo "Enter Private Key Password: "
>>stty_orig=`stty -g`
>>stty -echo
>>read PASSWORD
>>stty $stty_orig
>>
>>DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes, 
>>S=Buckinghamshire, C=GB'
>>
>>CACERT=${SSL_DIR}imscacert.pem
>>
>>cd ${SSL_DIR}java
>>
>>echo Using ${DN} .......
>>
>>echo Generating key .......
>>${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore 
>>${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} -storepass 
>>${PASSWORD}
>>
>>echo Generating certificate request .......
>>${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore 
>>${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} -keypass 
>>${PASSWORD}
>>
>>echo Exporting key .......
>>${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file 
>>$1-exported.crt -storepass ${PASSWORD}
>>
>>echo Converting key .......
>>openssl x509 -out $1-exported.pem -outform pem -text -in 
>>$1-exported.crt -inform der
>>
>>${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.key
>>
>>cp $1.csr ${SSL_DIR}clients/requests/
>>cp $1.key ${SSL_DIR}clients/keys/
>>
>>cd ${SSL_DIR}clients
>>
>>echo Signing server-side certificate .......
>>openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr
>>
>>echo Converting certificate .......
>>openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem
>>
>>echo Signing client-side certificate
>>openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key -out 
>>./client-side/$1.p12
>>
>>cd ${SSL_DIR}java
>>
>>echo Updating root certificate in keystore .......
>>${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA"  -keystore 
>>${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass 
>>${PASSWORD}
>>
>>echo Updating server-side certificate in keystore
>>${KEYTOOL} -import -trustcacerts -alias tomcat -keystore 
>>${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file 
>>${SSL_DIR}clients/completed/$1.pem -storepass ${PASSWORD} 
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message