tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian W H Osborne <josbo...@imsmaxims.com>
Subject Re: Cleint Side Certificates
Date Thu, 23 Dec 2004 17:52:30 GMT
Julian W H Osborne wrote:
> Bill Barker wrote:
> 
>> "Julian W H Osborne" <josborne@imsmaxims.com> wrote in message 
>> news:41C99FF4.80509@imsmaxims.com...
>>
>>> Dear All,
>>>
>>> I've been trying to get client/server certificates working with 
>>> tomcat now for a while and I'm not having much success.  I have 
>>> generated certificates which have worked successfully with apache but 
>>> not tomcat.
>>>
>>> I decided to script what I needed to do, so hopefully if anyone can 
>>> see a problem with what I am doing they can help!!
>>>
>>> I've modified the servers.xml file to clientAuth="true" (btw 
>>> everything works if it is false), and I've added the path for the key 
>>> store and the password for the key store, other than that there is 
>>> nothing unusual in the the config file.
>>>
>>
>>
>> Well, that's your problem then ;-).  You need to configure your 
>> truststore to tell Tomcat how to validate client certs.  For TC 5.x.x, 
>> you need to add truststoreFile="/path/to/trust.store" and 
>> truststorePass="<your-password-here>" to your <Connector> element in

>> server.xml.
>>
> 
> Okay, I'm using version 4.1.29.  I've added in truststoreFile and 
> truststorePass.  I've pointed truststoreFile at the same keystore as I'm 
> using for keystoreFile.  But I'm still having a problem.  If I use 
> Firefox to test it I get "Could not establish an encrypted connection 
> because your certificate was rejected by ...."
> 
> I have imported the client side cert into firefox.
> 
> Still stumped!

I've also imported the ca cert I'm using in to the trusted cacerts file 
in $JAVA_HOME/jre/lib/security/cacerts and still no joy.



> 
> Thanks in advance
> 
> Julian
> 
> 
> 
>>
>>> The openssl.cnf file has only been modified to include valid DN 
>>> enteries.
>>>
>>> I've pasted the script I am using below.
>>>
>>> Any help greatfully received.
>>>
>>> Thanks
>>>
>>>
>>> Julian
>>>
>>>
>>> #!/bin/sh
>>>
>>> SSL_DIR=/usr/share/ssl/
>>>
>>> JAVA_BIN=/usr/java/j2sdk1.4.2_04/jre/bin/
>>> KEYTOOL=${JAVA_BIN}keytool
>>> KEYSTORE_TYPE=jks
>>> KEYSTORE=${SSL_DIR}java/$1-keystore.${KEYSTORE_TYPE}
>>>
>>> echo Extracting Private Key .......
>>> echo "Enter Private Key Password: "
>>> stty_orig=`stty -g`
>>> stty -echo
>>> read PASSWORD
>>> stty $stty_orig
>>>
>>> DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes, 
>>> S=Buckinghamshire, C=GB'
>>>
>>> CACERT=${SSL_DIR}imscacert.pem
>>>
>>> cd ${SSL_DIR}java
>>>
>>> echo Using ${DN} .......
>>>
>>> echo Generating key .......
>>> ${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore 
>>> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} 
>>> -storepass ${PASSWORD}
>>>
>>> echo Generating certificate request .......
>>> ${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore 
>>> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} 
>>> -keypass ${PASSWORD}
>>>
>>> echo Exporting key .......
>>> ${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file 
>>> $1-exported.crt -storepass ${PASSWORD}
>>>
>>> echo Converting key .......
>>> openssl x509 -out $1-exported.pem -outform pem -text -in 
>>> $1-exported.crt -inform der
>>>
>>> ${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.key
>>>
>>> cp $1.csr ${SSL_DIR}clients/requests/
>>> cp $1.key ${SSL_DIR}clients/keys/
>>>
>>> cd ${SSL_DIR}clients
>>>
>>> echo Signing server-side certificate .......
>>> openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr
>>>
>>> echo Converting certificate .......
>>> openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem
>>>
>>> echo Signing client-side certificate
>>> openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key 
>>> -out ./client-side/$1.p12
>>>
>>> cd ${SSL_DIR}java
>>>
>>> echo Updating root certificate in keystore .......
>>> ${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA"  -keystore 
>>> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass 
>>> ${PASSWORD}
>>>
>>> echo Updating server-side certificate in keystore
>>> ${KEYTOOL} -import -trustcacerts -alias tomcat -keystore ${KEYSTORE} 
>>> -storetype ${KEYSTORE_TYPE} -file ${SSL_DIR}clients/completed/$1.pem 
>>> -storepass ${PASSWORD} 
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message