You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by joelsherriff <jo...@comcast.net> on 2005/03/15 17:13:19 UTC
Help with SSL & Cert
Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions
have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how
to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from
other posts to this list):
# Create a private key and certificate request
openssl req -new -subj "/C=US/ST=North Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
# Create CA's self-signed certificate
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
# Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to "CERTIFICATE"
# import ca.crt into the Trusted Root Certificates Store in IE
#Import the CA certificate into the JDK certificate authorities keystore:
keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
# Create a file to hold CA's serial numbers.
echo "02" > ca.srl
# Create a keystore for the web server.
keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS
# Create a certificate request for the web server:
keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit
# Sign the certificate request:
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365
# Import the signed server certificate into the server keystore:
keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit
# Import the CA certificate into the server keystore:
keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit
# Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key
# Sign the client certificate.
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365
# Generate a PKCS12 file containing client key and client certificate.
openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name "Client"
# Import the PKCS12 file into the web browser under Personal Certificates
# edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file.
Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443)