tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Pyeron" <jpye...@pdinc.us>
Subject RE: clent authentication using a smard card
Date Tue, 20 Oct 2009 12:16:00 GMT

> -----Original Message-----
> From: Marcello Marangio [mailto:m.marangio@innova.puglia.it] 
> > -----Messaggio originale-----
> > Da: Jason Pyeron [mailto:jpyeron@pdinc.us]
> > > -----Original Message-----
> > > From: Marcello Marangio [mailto:m.marangio@innova.puglia.it]
> > > > Da: Jason Pyeron [mailto:jpyeron@pdinc.us]
> > > > > From: Marcello Marangio [mailto:m.marangio@innova.puglia.it]
> > > > > > Da: Jason Pyeron [mailto:jpyeron@pdinc.us]
> > > > >
> > > > > Ok.
> > > > > I made the same thing with IE and in the debug it says "null 
> > > > > cert chain"
> > > > > during the client authentication handshake.
> > > > > Now I am confused...
> > > > >
> > > >
> > > > Lets step back and look.
> > > >
> > > > Can you provide the smart card and server certificate chain
> > > (no keys
> > > > please)?
> > >
> > > Hang on a second...
> > > The server certificate is an self signed certificate I made with 
> > > keytool.
> > > The smart card certificate, instead, is a real one, I use 
> to legally 
> > > sign electronic documents; the issuer is an Italian CA.
> > >
> > > Do you expect the issuer of the smart card certificate to be the 
> > > same as the server one?
> > 
> > Not always.
> > 
> > Lets take for example:
> > 
> > 
> > https://mail.pdinc.us <-PD Inc Public CA<-PD Inc Root CA
> > 
> >  and
> > 
> > MySmartCard <- DOD EMAIL CA-15 <- DoD Root CA-2
> > 
> > The smime cert used on this email
> > 
> > I can use my smart card to auth againstthe server. But the 
> server must 
> > know about DoD Root CA-2.
> > 
> 
> 
> Ok. In my case:
> 
> 
> https://localhost <- self signed certificate
> and
> Mysmartcard <- my certificate <- infocamere root CA
> 
> And in my trusted certificates keystore there is infocamere root CA.


As a point of note, we always avoid using self signed certs for any purpose
other than a CA.

Lets take 1st few steps on making this more proper.

1. Create a self signed CA cert.
2. Create your web server cert and sign it with the CA.
3. install it (and the chain) in the web server.
4. install the CA into your browser 
4a. for IE, it would be the Trusted Root Certification Authorities, 
4b. you can do this by browsing to the web server, 
4c. ignoring the errors, 
4d. viewing the certs (click on the padlock)
4e. look at the chain, (there is a heiarchy right?)
4f. Select and open the root ot the heiarchy
4g. Install cert
4g1. select where to place
4g2. select Trusted Root Certification Authorities (if for all users select all
users physical store for TRCA)
5. exit browser (all of the windows, verify iexplore.exe is not running), and
revisit server, confirming no security prompts.

Let me know if/where you get stuck.

> 
> Please find in attachment a signed text file you can read my 
> cert info from.
> 
> Thanks
> Marcello
> 



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message