tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Friebel" <andr...@reynolds.com.au>
Subject RE: Accessing ssl pages using client authentication
Date Tue, 14 Nov 2006 05:26:23 GMT
Can you let me know if this is correct:

1.	Generate server keystore:
a.	keytool -genkey -alias <server alias> -keystore <server
keystore> -keyalg RSA
b.	Enter server information as prompted
2.	Generate client keystore
a.	keytool -genkey -alias <client alias> -keystore <client
keystore> -keyalg RSA
b.	Enter server information as prompted
3.	Export server certificate:
a.	keytool -export -alias <server alias> -keystore <server
keystore> -file <server file>
4.	Export client certificate:
a.	keytool -export -alias <client alias> -keystore <client
keystore> -file <client file>
5.	Import server certificate into client:
a.	keytool -import -alias <server alias> -keystore <client
keystore> -file <file - from point 3a>
6.	Import client certificate into server:
a.	keytool -import -alias <client alias> -keystore <server
keystore> -file <file - from point 4a>

After going through the above motions, it occurred to me that I had not
issued any commands with -selfcert.  So I went through that process as
well, then re-exported and re-imported the certificates into the
relevant keystores (restarting tomcat to ensure the latest certificates
are been used), still with no success (same stack trace as my last
posting).

When I review the certificate, there does not seem to be an extra root
certificate other than the one that I generated to start with.  I feel
that I am missing some fundamental step or set up.

Regards,
Andrew Friebel

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Tuesday, 14 November 2006 12:34 PM
To: Tomcat Users List
Subject: Re: Accessing ssl pages using client authentication

Andrew Friebel wrote:
> Mark,
> 	Thanks for your input.  I have got normal SSL working, and that
> works like a charm (using both IE - doGet, and via a servlet -
doPost).
Great.

> My certificates are self signed, to answer your questions:
> o	I do not believe this is an issue with self signed certificates
> - as the issuer of the server certificate is created when the keystore
> is created.
I am not sure about this. When I last set this up I had a self-signed
root certificate authority (actually root CAs have to be self signed)
with its own keystore that I then used to sign both the server and the
client certs.

Might be worth giving this a go, again getting basic SSL up and
running first.

Mark

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message