You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Martin Jericho <ma...@jabmail.com> on 2003/08/11 04:51:24 UTC

Client SSL certificates signed by Windows Certificate Server

I am trying to use Windows Certificate Server to sign my client
certificates.

First I tried to use a certificate that was generated in IE, but that didn't
seem to work (has anyone gotten this to work before?), so now I am trying
certificates generated by IBM's keyman program.

These are the steps I take:

1.  In keyman, generate a key pair in a PKCS#12 file.
2.  Create a certificate request based on this key pair
3.  In Microsoft Certificate Server's certsrv webpage, select the following
options:
    - "Request a certificate"
    - "Advanced Request"
    - "Submit a certificate request using a base64 encoded PKCS #10 file or
a renewal request using a base64 encoded PKCS #7 file"
4.  Paste the certificate request into the window
5.  Issue the certificate request on the server
6.  In Microsoft Certificate Server's certsrv webpage, select "Check on a
pending certificate" and select the saved-request certificate
7.  Click on the "Download CA Certification Path" link, and save the
certnew.p7b file to disk
8.  In keyman, import the .p7b file.  This attaches itself to the original
key pair.
9.  Save the keystore as a .p12 file
10.  Import this .p12 file into IE
11.  Export the signing certificate from IE into a file called MyCA.cer
12.  Import this cer file into Java's cacerts keystore
13.  Restart tomcat

At this stage everything should work, but it doesn't.  I can only get it to
work by exporting the new certificate itself into a .cer file and importing
that into the cacerts file.  For some reason, tomcat doesn't trust Windows
Certificate Server's root certificate, or at least doesn't trust any
certificates signed by it, even after I have imported it into the cacerts
file.

Has anyone done this before?

Thanks
Martin

Re: Client SSL certificates signed by Windows Certificate Server

Posted by ac...@saysit.com.

Bill Barker wrote:
> 
> "Martin Jericho" <ma...@jabmail.com> wrote in message
> news:074001c35fbe$1c5a49d0$1c00a8c0@MARTINJ...
> > ----- Original Message -----
> > From: "Bill Barker" <wb...@wilshire.com>
> > To: <to...@jakarta.apache.org>
> > Sent: Monday, August 11, 2003 2:03 PM
> > Subject: Re: Client SSL certificates signed by Windows Certificate Server
> >
> >
> > >
> > > "Martin Jericho" <ma...@jabmail.com> wrote in message
> > > news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> > > > I am trying to use Windows Certificate Server to sign my client
> > > > certificates.
> > > >
> > > > First I tried to use a certificate that was generated in IE, but that
> > > didn't
> > > > seem to work (has anyone gotten this to work before?), so now I am
> > trying
> > > > certificates generated by IBM's keyman program.
> > > >
> > > > These are the steps I take:
> > > >
> > > > 1.  In keyman, generate a key pair in a PKCS#12 file.
> > > > 2.  Create a certificate request based on this key pair
> > > > 3.  In Microsoft Certificate Server's certsrv webpage, select the
> > > following
> > > > options:
> > > >     - "Request a certificate"
> > > >     - "Advanced Request"
> > > >     - "Submit a certificate request using a base64 encoded PKCS #10
> file
> > > or
> > > > a renewal request using a base64 encoded PKCS #7 file"
> > > > 4.  Paste the certificate request into the window
> > > > 5.  Issue the certificate request on the server
> > > > 6.  In Microsoft Certificate Server's certsrv webpage, select "Check
> on
> > a
> > > > pending certificate" and select the saved-request certificate
> > > > 7.  Click on the "Download CA Certification Path" link, and save the
> > > > certnew.p7b file to disk
> > > > 8.  In keyman, import the .p7b file.  This attaches itself to the
> > original
> > > > key pair.
> > > > 9.  Save the keystore as a .p12 file
> > > > 10.  Import this .p12 file into IE
> > > > 11.  Export the signing certificate from IE into a file called
> MyCA.cer
> > > > 12.  Import this cer file into Java's cacerts keystore
> > > > 13.  Restart tomcat
> > > >
> > > > At this stage everything should work, but it doesn't.  I can only get
> it
> > > to
> > > > work by exporting the new certificate itself into a .cer file and
> > > importing
> > > > that into the cacerts file.  For some reason, tomcat doesn't trust
> > Windows
> > > > Certificate Server's root certificate, or at least doesn't trust any
> > > > certificates signed by it, even after I have imported it into the
> > cacerts
> > > > file.
> > > >
> > > > Has anyone done this before?
> > >
> > > Yup, it should work as you've described.  I don't know anything about
> WCS
> > > (or care to know :), but does it sign with an intermediate cert?  If so,
> > > they you'll probably have to import the intermediate cert as well (so
> that
> > > Tomcat can verify BasicConstraints etc.).

> Of course it checks the entire cert chain.  It would be a security hole if
> it didn't (e.g. anyone could simply issue themselves a cert, and login).
> All that should be required is that you have the root cert in cacerts, and
> then Tomcat should validate your client-certs (w/o requiring that they be
> imported).
 
Sorry to bud into this thread...
I use Apache + mod_ssl to talk with OpenSSL with Tomcat behind that.
I have signed my own certificate. 
How do I know Apache is checking the imported certificate ?

Re: Client SSL certificates signed by Windows Certificate Server

Posted by ac...@saysit.com.

Bill Barker wrote:
> 
> "Martin Jericho" <ma...@jabmail.com> wrote in message
> news:074001c35fbe$1c5a49d0$1c00a8c0@MARTINJ...
> > ----- Original Message -----
> > From: "Bill Barker" <wb...@wilshire.com>
> > To: <to...@jakarta.apache.org>
> > Sent: Monday, August 11, 2003 2:03 PM
> > Subject: Re: Client SSL certificates signed by Windows Certificate Server
> >
> >
> > >
> > > "Martin Jericho" <ma...@jabmail.com> wrote in message
> > > news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> > > > I am trying to use Windows Certificate Server to sign my client
> > > > certificates.
> > > >
> > > > First I tried to use a certificate that was generated in IE, but that
> > > didn't
> > > > seem to work (has anyone gotten this to work before?), so now I am
> > trying
> > > > certificates generated by IBM's keyman program.
> > > >
> > > > These are the steps I take:
> > > >
> > > > 1.  In keyman, generate a key pair in a PKCS#12 file.
> > > > 2.  Create a certificate request based on this key pair
> > > > 3.  In Microsoft Certificate Server's certsrv webpage, select the
> > > following
> > > > options:
> > > >     - "Request a certificate"
> > > >     - "Advanced Request"
> > > >     - "Submit a certificate request using a base64 encoded PKCS #10
> file
> > > or
> > > > a renewal request using a base64 encoded PKCS #7 file"
> > > > 4.  Paste the certificate request into the window
> > > > 5.  Issue the certificate request on the server
> > > > 6.  In Microsoft Certificate Server's certsrv webpage, select "Check
> on
> > a
> > > > pending certificate" and select the saved-request certificate
> > > > 7.  Click on the "Download CA Certification Path" link, and save the
> > > > certnew.p7b file to disk
> > > > 8.  In keyman, import the .p7b file.  This attaches itself to the
> > original
> > > > key pair.
> > > > 9.  Save the keystore as a .p12 file
> > > > 10.  Import this .p12 file into IE
> > > > 11.  Export the signing certificate from IE into a file called
> MyCA.cer
> > > > 12.  Import this cer file into Java's cacerts keystore
> > > > 13.  Restart tomcat
> > > >
> > > > At this stage everything should work, but it doesn't.  I can only get
> it
> > > to
> > > > work by exporting the new certificate itself into a .cer file and
> > > importing
> > > > that into the cacerts file.  For some reason, tomcat doesn't trust
> > Windows
> > > > Certificate Server's root certificate, or at least doesn't trust any
> > > > certificates signed by it, even after I have imported it into the
> > cacerts
> > > > file.
> > > >
> > > > Has anyone done this before?
> > >
> > > Yup, it should work as you've described.  I don't know anything about
> WCS
> > > (or care to know :), but does it sign with an intermediate cert?  If so,
> > > they you'll probably have to import the intermediate cert as well (so
> that
> > > Tomcat can verify BasicConstraints etc.).

> Of course it checks the entire cert chain.  It would be a security hole if
> it didn't (e.g. anyone could simply issue themselves a cert, and login).
> All that should be required is that you have the root cert in cacerts, and
> then Tomcat should validate your client-certs (w/o requiring that they be
> imported).
 
Sorry to bud into this thread...
I use Apache + mod_ssl to talk with OpenSSL with Tomcat behind that.
I have signed my own certificate. 
How do I know Apache is checking the imported certificate ?

Re: Client SSL certificates signed by Windows Certificate Server

Posted by Bill Barker <wb...@wilshire.com>.

"Martin Jericho" <ma...@jabmail.com> wrote in message
news:074001c35fbe$1c5a49d0$1c00a8c0@MARTINJ...
> ----- Original Message ----- 
> From: "Bill Barker" <wb...@wilshire.com>
> To: <to...@jakarta.apache.org>
> Sent: Monday, August 11, 2003 2:03 PM
> Subject: Re: Client SSL certificates signed by Windows Certificate Server
>
>
> >
> > "Martin Jericho" <ma...@jabmail.com> wrote in message
> > news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> > > I am trying to use Windows Certificate Server to sign my client
> > > certificates.
> > >
> > > First I tried to use a certificate that was generated in IE, but that
> > didn't
> > > seem to work (has anyone gotten this to work before?), so now I am
> trying
> > > certificates generated by IBM's keyman program.
> > >
> > > These are the steps I take:
> > >
> > > 1.  In keyman, generate a key pair in a PKCS#12 file.
> > > 2.  Create a certificate request based on this key pair
> > > 3.  In Microsoft Certificate Server's certsrv webpage, select the
> > following
> > > options:
> > >     - "Request a certificate"
> > >     - "Advanced Request"
> > >     - "Submit a certificate request using a base64 encoded PKCS #10
file
> > or
> > > a renewal request using a base64 encoded PKCS #7 file"
> > > 4.  Paste the certificate request into the window
> > > 5.  Issue the certificate request on the server
> > > 6.  In Microsoft Certificate Server's certsrv webpage, select "Check
on
> a
> > > pending certificate" and select the saved-request certificate
> > > 7.  Click on the "Download CA Certification Path" link, and save the
> > > certnew.p7b file to disk
> > > 8.  In keyman, import the .p7b file.  This attaches itself to the
> original
> > > key pair.
> > > 9.  Save the keystore as a .p12 file
> > > 10.  Import this .p12 file into IE
> > > 11.  Export the signing certificate from IE into a file called
MyCA.cer
> > > 12.  Import this cer file into Java's cacerts keystore
> > > 13.  Restart tomcat
> > >
> > > At this stage everything should work, but it doesn't.  I can only get
it
> > to
> > > work by exporting the new certificate itself into a .cer file and
> > importing
> > > that into the cacerts file.  For some reason, tomcat doesn't trust
> Windows
> > > Certificate Server's root certificate, or at least doesn't trust any
> > > certificates signed by it, even after I have imported it into the
> cacerts
> > > file.
> > >
> > > Has anyone done this before?
> >
> > Yup, it should work as you've described.  I don't know anything about
WCS
> > (or care to know :), but does it sign with an intermediate cert?  If so,
> > they you'll probably have to import the intermediate cert as well (so
that
> > Tomcat can verify BasicConstraints etc.).
>
> No intermediate certificates.
> Something else that is unexpected... Even when I import the actual
> certificate into cacerts, I still have to have the root certificate in
there
> as well.  Does tomcat always check the whole certificate chain, even if it
> doesn't have to?

Of course it checks the entire cert chain.  It would be a security hole if
it didn't (e.g. anyone could simply issue themselves a cert, and login).
All that should be required is that you have the root cert in cacerts, and
then Tomcat should validate your client-certs (w/o requiring that they be
imported).

>
> >
> > >
> > > Thanks
> > > Martin
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Client SSL certificates signed by Windows Certificate Server

Posted by Bill Barker <wb...@wilshire.com>.

"Martin Jericho" <ma...@jabmail.com> wrote in message
news:074001c35fbe$1c5a49d0$1c00a8c0@MARTINJ...
> ----- Original Message ----- 
> From: "Bill Barker" <wb...@wilshire.com>
> To: <to...@jakarta.apache.org>
> Sent: Monday, August 11, 2003 2:03 PM
> Subject: Re: Client SSL certificates signed by Windows Certificate Server
>
>
> >
> > "Martin Jericho" <ma...@jabmail.com> wrote in message
> > news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> > > I am trying to use Windows Certificate Server to sign my client
> > > certificates.
> > >
> > > First I tried to use a certificate that was generated in IE, but that
> > didn't
> > > seem to work (has anyone gotten this to work before?), so now I am
> trying
> > > certificates generated by IBM's keyman program.
> > >
> > > These are the steps I take:
> > >
> > > 1.  In keyman, generate a key pair in a PKCS#12 file.
> > > 2.  Create a certificate request based on this key pair
> > > 3.  In Microsoft Certificate Server's certsrv webpage, select the
> > following
> > > options:
> > >     - "Request a certificate"
> > >     - "Advanced Request"
> > >     - "Submit a certificate request using a base64 encoded PKCS #10
file
> > or
> > > a renewal request using a base64 encoded PKCS #7 file"
> > > 4.  Paste the certificate request into the window
> > > 5.  Issue the certificate request on the server
> > > 6.  In Microsoft Certificate Server's certsrv webpage, select "Check
on
> a
> > > pending certificate" and select the saved-request certificate
> > > 7.  Click on the "Download CA Certification Path" link, and save the
> > > certnew.p7b file to disk
> > > 8.  In keyman, import the .p7b file.  This attaches itself to the
> original
> > > key pair.
> > > 9.  Save the keystore as a .p12 file
> > > 10.  Import this .p12 file into IE
> > > 11.  Export the signing certificate from IE into a file called
MyCA.cer
> > > 12.  Import this cer file into Java's cacerts keystore
> > > 13.  Restart tomcat
> > >
> > > At this stage everything should work, but it doesn't.  I can only get
it
> > to
> > > work by exporting the new certificate itself into a .cer file and
> > importing
> > > that into the cacerts file.  For some reason, tomcat doesn't trust
> Windows
> > > Certificate Server's root certificate, or at least doesn't trust any
> > > certificates signed by it, even after I have imported it into the
> cacerts
> > > file.
> > >
> > > Has anyone done this before?
> >
> > Yup, it should work as you've described.  I don't know anything about
WCS
> > (or care to know :), but does it sign with an intermediate cert?  If so,
> > they you'll probably have to import the intermediate cert as well (so
that
> > Tomcat can verify BasicConstraints etc.).
>
> No intermediate certificates.
> Something else that is unexpected... Even when I import the actual
> certificate into cacerts, I still have to have the root certificate in
there
> as well.  Does tomcat always check the whole certificate chain, even if it
> doesn't have to?

Of course it checks the entire cert chain.  It would be a security hole if
it didn't (e.g. anyone could simply issue themselves a cert, and login).
All that should be required is that you have the root cert in cacerts, and
then Tomcat should validate your client-certs (w/o requiring that they be
imported).

>
> >
> > >
> > > Thanks
> > > Martin
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >

Making the session non-persistant in server.xml

Posted by Sarika Inamdar <si...@cisco.com>.

Hi All,

When we re-start tomcat, we want a new session. We don't want the
persistant behaviour of tomcat.

In server.xml, we made the added the following :

<Manager className="org.apache.catalina.session.PersistentManager"
              debug="0"
              saveOnRestart="false"
              maxActiveSessions="-1"
              minIdleSwap="-1"
              maxIdleSwap="-1"
              maxIdleBackup="-1">
                <Store
className="org.apache.catalina.session.FileStore"/>
          </Manager>

Is this the correct configuration ? With this , we still are un able to
disable the persistancy. The sessions get stored on the hard disk.

Please let us know on how to disable sessions being saved on to the
memory.

Thanks in Advance,
Sarika


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Making the session non-persistant in server.xml

Posted by Sarika Inamdar <si...@cisco.com>.

Hi All,

When we re-start tomcat, we want a new session. We don't want the
persistant behaviour of tomcat.

In server.xml, we made the added the following :

<Manager className="org.apache.catalina.session.PersistentManager"
              debug="0"
              saveOnRestart="false"
              maxActiveSessions="-1"
              minIdleSwap="-1"
              maxIdleSwap="-1"
              maxIdleBackup="-1">
                <Store
className="org.apache.catalina.session.FileStore"/>
          </Manager>

Is this the correct configuration ? With this , we still are un able to
disable the persistancy. The sessions get stored on the hard disk.

Please let us know on how to disable sessions being saved on to the
memory.

Thanks in Advance,
Sarika

Re: Client SSL certificates signed by Windows Certificate Server

Posted by Martin Jericho <ma...@jabmail.com>.

----- Original Message ----- 
From: "Bill Barker" <wb...@wilshire.com>
To: <to...@jakarta.apache.org>
Sent: Monday, August 11, 2003 2:03 PM
Subject: Re: Client SSL certificates signed by Windows Certificate Server


>
> "Martin Jericho" <ma...@jabmail.com> wrote in message
> news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> > I am trying to use Windows Certificate Server to sign my client
> > certificates.
> >
> > First I tried to use a certificate that was generated in IE, but that
> didn't
> > seem to work (has anyone gotten this to work before?), so now I am
trying
> > certificates generated by IBM's keyman program.
> >
> > These are the steps I take:
> >
> > 1.  In keyman, generate a key pair in a PKCS#12 file.
> > 2.  Create a certificate request based on this key pair
> > 3.  In Microsoft Certificate Server's certsrv webpage, select the
> following
> > options:
> >     - "Request a certificate"
> >     - "Advanced Request"
> >     - "Submit a certificate request using a base64 encoded PKCS #10 file
> or
> > a renewal request using a base64 encoded PKCS #7 file"
> > 4.  Paste the certificate request into the window
> > 5.  Issue the certificate request on the server
> > 6.  In Microsoft Certificate Server's certsrv webpage, select "Check on
a
> > pending certificate" and select the saved-request certificate
> > 7.  Click on the "Download CA Certification Path" link, and save the
> > certnew.p7b file to disk
> > 8.  In keyman, import the .p7b file.  This attaches itself to the
original
> > key pair.
> > 9.  Save the keystore as a .p12 file
> > 10.  Import this .p12 file into IE
> > 11.  Export the signing certificate from IE into a file called MyCA.cer
> > 12.  Import this cer file into Java's cacerts keystore
> > 13.  Restart tomcat
> >
> > At this stage everything should work, but it doesn't.  I can only get it
> to
> > work by exporting the new certificate itself into a .cer file and
> importing
> > that into the cacerts file.  For some reason, tomcat doesn't trust
Windows
> > Certificate Server's root certificate, or at least doesn't trust any
> > certificates signed by it, even after I have imported it into the
cacerts
> > file.
> >
> > Has anyone done this before?
>
> Yup, it should work as you've described.  I don't know anything about WCS
> (or care to know :), but does it sign with an intermediate cert?  If so,
> they you'll probably have to import the intermediate cert as well (so that
> Tomcat can verify BasicConstraints etc.).

No intermediate certificates.
Something else that is unexpected... Even when I import the actual
certificate into cacerts, I still have to have the root certificate in there
as well.  Does tomcat always check the whole certificate chain, even if it
doesn't have to?

>
> >
> > Thanks
> > Martin
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>

Re: Client SSL certificates signed by Windows Certificate Server

Posted by Martin Jericho <ma...@jabmail.com>.

----- Original Message ----- 
From: "Bill Barker" <wb...@wilshire.com>
To: <to...@jakarta.apache.org>
Sent: Monday, August 11, 2003 2:03 PM
Subject: Re: Client SSL certificates signed by Windows Certificate Server


>
> "Martin Jericho" <ma...@jabmail.com> wrote in message
> news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> > I am trying to use Windows Certificate Server to sign my client
> > certificates.
> >
> > First I tried to use a certificate that was generated in IE, but that
> didn't
> > seem to work (has anyone gotten this to work before?), so now I am
trying
> > certificates generated by IBM's keyman program.
> >
> > These are the steps I take:
> >
> > 1.  In keyman, generate a key pair in a PKCS#12 file.
> > 2.  Create a certificate request based on this key pair
> > 3.  In Microsoft Certificate Server's certsrv webpage, select the
> following
> > options:
> >     - "Request a certificate"
> >     - "Advanced Request"
> >     - "Submit a certificate request using a base64 encoded PKCS #10 file
> or
> > a renewal request using a base64 encoded PKCS #7 file"
> > 4.  Paste the certificate request into the window
> > 5.  Issue the certificate request on the server
> > 6.  In Microsoft Certificate Server's certsrv webpage, select "Check on
a
> > pending certificate" and select the saved-request certificate
> > 7.  Click on the "Download CA Certification Path" link, and save the
> > certnew.p7b file to disk
> > 8.  In keyman, import the .p7b file.  This attaches itself to the
original
> > key pair.
> > 9.  Save the keystore as a .p12 file
> > 10.  Import this .p12 file into IE
> > 11.  Export the signing certificate from IE into a file called MyCA.cer
> > 12.  Import this cer file into Java's cacerts keystore
> > 13.  Restart tomcat
> >
> > At this stage everything should work, but it doesn't.  I can only get it
> to
> > work by exporting the new certificate itself into a .cer file and
> importing
> > that into the cacerts file.  For some reason, tomcat doesn't trust
Windows
> > Certificate Server's root certificate, or at least doesn't trust any
> > certificates signed by it, even after I have imported it into the
cacerts
> > file.
> >
> > Has anyone done this before?
>
> Yup, it should work as you've described.  I don't know anything about WCS
> (or care to know :), but does it sign with an intermediate cert?  If so,
> they you'll probably have to import the intermediate cert as well (so that
> Tomcat can verify BasicConstraints etc.).

No intermediate certificates.
Something else that is unexpected... Even when I import the actual
certificate into cacerts, I still have to have the root certificate in there
as well.  Does tomcat always check the whole certificate chain, even if it
doesn't have to?

>
> >
> > Thanks
> > Martin
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Client SSL certificates signed by Windows Certificate Server

Posted by Bill Barker <wb...@wilshire.com>.

"Martin Jericho" <ma...@jabmail.com> wrote in message
news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> I am trying to use Windows Certificate Server to sign my client
> certificates.
>
> First I tried to use a certificate that was generated in IE, but that
didn't
> seem to work (has anyone gotten this to work before?), so now I am trying
> certificates generated by IBM's keyman program.
>
> These are the steps I take:
>
> 1.  In keyman, generate a key pair in a PKCS#12 file.
> 2.  Create a certificate request based on this key pair
> 3.  In Microsoft Certificate Server's certsrv webpage, select the
following
> options:
>     - "Request a certificate"
>     - "Advanced Request"
>     - "Submit a certificate request using a base64 encoded PKCS #10 file
or
> a renewal request using a base64 encoded PKCS #7 file"
> 4.  Paste the certificate request into the window
> 5.  Issue the certificate request on the server
> 6.  In Microsoft Certificate Server's certsrv webpage, select "Check on a
> pending certificate" and select the saved-request certificate
> 7.  Click on the "Download CA Certification Path" link, and save the
> certnew.p7b file to disk
> 8.  In keyman, import the .p7b file.  This attaches itself to the original
> key pair.
> 9.  Save the keystore as a .p12 file
> 10.  Import this .p12 file into IE
> 11.  Export the signing certificate from IE into a file called MyCA.cer
> 12.  Import this cer file into Java's cacerts keystore
> 13.  Restart tomcat
>
> At this stage everything should work, but it doesn't.  I can only get it
to
> work by exporting the new certificate itself into a .cer file and
importing
> that into the cacerts file.  For some reason, tomcat doesn't trust Windows
> Certificate Server's root certificate, or at least doesn't trust any
> certificates signed by it, even after I have imported it into the cacerts
> file.
>
> Has anyone done this before?

Yup, it should work as you've described.  I don't know anything about WCS
(or care to know :), but does it sign with an intermediate cert?  If so,
they you'll probably have to import the intermediate cert as well (so that
Tomcat can verify BasicConstraints etc.).

>
> Thanks
> Martin

Re: Client SSL certificates signed by Windows Certificate Server

Posted by Bill Barker <wb...@wilshire.com>.

"Martin Jericho" <ma...@jabmail.com> wrote in message
news:06f301c35fb3$744cf0d0$1c00a8c0@MARTINJ...
> I am trying to use Windows Certificate Server to sign my client
> certificates.
>
> First I tried to use a certificate that was generated in IE, but that
didn't
> seem to work (has anyone gotten this to work before?), so now I am trying
> certificates generated by IBM's keyman program.
>
> These are the steps I take:
>
> 1.  In keyman, generate a key pair in a PKCS#12 file.
> 2.  Create a certificate request based on this key pair
> 3.  In Microsoft Certificate Server's certsrv webpage, select the
following
> options:
>     - "Request a certificate"
>     - "Advanced Request"
>     - "Submit a certificate request using a base64 encoded PKCS #10 file
or
> a renewal request using a base64 encoded PKCS #7 file"
> 4.  Paste the certificate request into the window
> 5.  Issue the certificate request on the server
> 6.  In Microsoft Certificate Server's certsrv webpage, select "Check on a
> pending certificate" and select the saved-request certificate
> 7.  Click on the "Download CA Certification Path" link, and save the
> certnew.p7b file to disk
> 8.  In keyman, import the .p7b file.  This attaches itself to the original
> key pair.
> 9.  Save the keystore as a .p12 file
> 10.  Import this .p12 file into IE
> 11.  Export the signing certificate from IE into a file called MyCA.cer
> 12.  Import this cer file into Java's cacerts keystore
> 13.  Restart tomcat
>
> At this stage everything should work, but it doesn't.  I can only get it
to
> work by exporting the new certificate itself into a .cer file and
importing
> that into the cacerts file.  For some reason, tomcat doesn't trust Windows
> Certificate Server's root certificate, or at least doesn't trust any
> certificates signed by it, even after I have imported it into the cacerts
> file.
>
> Has anyone done this before?

Yup, it should work as you've described.  I don't know anything about WCS
(or care to know :), but does it sign with an intermediate cert?  If so,
they you'll probably have to import the intermediate cert as well (so that
Tomcat can verify BasicConstraints etc.).

>
> Thanks
> Martin




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org