You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by joelsherriff <jo...@comcast.net> on 2005/03/25 19:47:43 UTC
Help with SSL & Cert config
I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post.
Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions
have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how
to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from
other posts to this list):
Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way.
# Create a private key and certificate request
openssl req -new -subj "/C=US/ST=North Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
# Create CA's self-signed certificate
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
# Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to "CERTIFICATE"
# import ca.crt into the Trusted Root Certificates Store in IE
#Import the CA certificate into the JDK certificate authorities keystore:
keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
# Create a file to hold CA's serial numbers.
echo "02" > ca.srl
# Create a keystore for the web server.
keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS
# Create a certificate request for the web server:
keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit
# Sign the certificate request:
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365
# Import the signed server certificate into the server keystore:
keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit
# Import the CA certificate into the server keystore:
keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit
# Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key
# Sign the client certificate.
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365
# Generate a PKCS12 file containing client key and client certificate.
openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name "Client"
# Import the PKCS12 file into the web browser under Personal Certificates
# edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file.
Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443)
Re: Any better way to do this?
Posted by joelsherriff <jo...@comcast.net>.
Thanks for the input. Very appreciated. There seem to be so many
configuration options in tomcat that I wasn't
sure if I was trying to use filters when something else was already there
waiting for me to use.
----- Original Message -----
From: "Will Hartung" <wi...@msoft.com>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Monday, April 25, 2005 8:14 PM
Subject: Re: Any better way to do this?
> > From: "joelsherriff" <jo...@comcast.net>
> > Sent: Monday, April 25, 2005 4:16 PM
>
> > I want to setup what is basically a blog server - so that user's must
> login
> > and can then access
> > their personal blog, but nobody elses. I think I can do this using a
> > servlet filter to trap requests to the
> > blog pages, lookup the user's blog page url using the session info, and
> > modify the request to point
> > to his/her own blog, regardless of what blog they initially requested.
> >
> > Seems like there ought to be a better way but I'm pretty new to tomcat
so
> > .... is there?
>
> Actually that's a perfect way to do it. You simply write the filter,
install
> it, and be done with it. The challenge being integrating with the Blog
> software's registration system, perhaps, but the beauty of the system is
> that the blogging servlets/JSPs/etc. are totally ignorant of the change,
and
> you can move ahead with very little knowledge of how the blogging software
> works or is configured. It's a nice, non-invasive system to do exactly
what
> you want.
>
> Regards,
>
> Will Hartung
> (willh@msoft.com)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Any better way to do this?
Posted by Will Hartung <wi...@msoft.com>.
> From: "joelsherriff" <jo...@comcast.net>
> Sent: Monday, April 25, 2005 4:16 PM
> I want to setup what is basically a blog server - so that user's must
login
> and can then access
> their personal blog, but nobody elses. I think I can do this using a
> servlet filter to trap requests to the
> blog pages, lookup the user's blog page url using the session info, and
> modify the request to point
> to his/her own blog, regardless of what blog they initially requested.
>
> Seems like there ought to be a better way but I'm pretty new to tomcat so
> .... is there?
Actually that's a perfect way to do it. You simply write the filter, install
it, and be done with it. The challenge being integrating with the Blog
software's registration system, perhaps, but the beauty of the system is
that the blogging servlets/JSPs/etc. are totally ignorant of the change, and
you can move ahead with very little knowledge of how the blogging software
works or is configured. It's a nice, non-invasive system to do exactly what
you want.
Regards,
Will Hartung
(willh@msoft.com)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Any better way to do this?
Posted by joelsherriff <jo...@comcast.net>.
I want to setup what is basically a blog server - so that user's must login
and can then access
their personal blog, but nobody elses. I think I can do this using a
servlet filter to trap requests to the
blog pages, lookup the user's blog page url using the session info, and
modify the request to point
to his/her own blog, regardless of what blog they initially requested.
Seems like there ought to be a better way but I'm pretty new to tomcat so
.... is there?
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with JDBCRealm config on Tomcat 4.1
Posted by joelsherriff <jo...@comcast.net>.
Well I've got JDBCRealm working for the entire server, but when I try to
wrap the realm in a context for a specific
webapp it stops working. Anyone have any ideas why? Is my Context
specification not correct?
<Context path="/blojsom" docBase="blojsom" debug="99" >
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost/mydatabase"
connectionName="xxxxxx" connectionPassword="xxxxxx" digest="MD5"
userTable="users" userNameCol="userid"
userCredCol="md5password"
userRoleTable="user_roles" roleNameCol="role_name" />
</Context>
----- Original Message -----
From: "joelsherriff" <jo...@comcast.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, April 22, 2005 3:56 PM
Subject: Help with JDBCRealm config on Tomcat 4.1
> Hope someone can help me - I'm still a relative newbie to tomcat, am
baffled
> at this point and I can't even get it configured so that I
> can get debug info to find out what's wrong.
>
> I've added a context to my server.xml for the webapp I'm trying to set up
> JDBCRealm authentication for:
>
> <Context path="/blojsom" docBase="blojsom" debug="99" >
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="localhost_blojsom_log." suffix=".txt" timestamp="true" />
> <Realm className="org.apache.catalina.realm.JDBCRealm"
> debug="99" driverName="org.gjt.mm.mysql.Driver"
>
>
connectionURL="jdbc:mysql://localhost/mydatabase?user=xxxxxx;password=xxxxxx
> "
> connectionName="xxxxxx" connectionPassword="xxxxxx"
> digest="MD5"
> userTable="users" userNameCol="userid"
> userCredCol="md5password"
> userRoleTable="user_roles" roleNameCol="role_name" />
> </Context>
>
> And, of course, added the supporting tables and roles to my database.
When
> I attempt to access a page from the webapp,
> my login.jsp page is displayed, and when I attempt to login, my error.jsp
> page is displayed. I didn't expect this to work
> correctly the first time I configured it, and it's not, but my problem is
> that I can't figure out how to debug it at all. The
> Logger I have configured in the webapp's Context does nothing - doesn't
> create the log file and nothing is logged
> anywhere else either. How can I further debug it?
>
> Now, if I take the Realm out of the Context (applying it to the entire
> server), I get an exception in my catalina_log:
>
> 2005-04-22 15:26:10 JDBCRealm[Standalone]: Exception performing
> authentication
> java.sql.SQLException: org.gjt.mm.mysql.Driver
> at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:588)
> at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:343)
>
> Though it doesn't say it precisely, I think this implies that it's not
> connecting to the DB, but the db, user and password values are all
correct.
>
> Basically, I have three problems: why can't I get logging to work from
> within a specific context, am I doing something wrong in my attempt
> to get JDBCRealm authentication to work, and what is the right way to
debug
> the problem further, if the solution isn't obvious?
>
> Also, I've added to my webapp's web.xml file:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Entire Application</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>users</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Users</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <description>
> Some Stuff
> </description>
> <role-name>users</role-name>
> </security-role>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Help with JDBCRealm config on Tomcat 4.1
Posted by joelsherriff <jo...@comcast.net>.
Hope someone can help me - I'm still a relative newbie to tomcat, am baffled
at this point and I can't even get it configured so that I
can get debug info to find out what's wrong.
I've added a context to my server.xml for the webapp I'm trying to set up
JDBCRealm authentication for:
<Context path="/blojsom" docBase="blojsom" debug="99" >
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="localhost_blojsom_log." suffix=".txt" timestamp="true" />
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99" driverName="org.gjt.mm.mysql.Driver"
connectionURL="jdbc:mysql://localhost/mydatabase?user=xxxxxx;password=xxxxxx
"
connectionName="xxxxxx" connectionPassword="xxxxxx"
digest="MD5"
userTable="users" userNameCol="userid"
userCredCol="md5password"
userRoleTable="user_roles" roleNameCol="role_name" />
</Context>
And, of course, added the supporting tables and roles to my database. When
I attempt to access a page from the webapp,
my login.jsp page is displayed, and when I attempt to login, my error.jsp
page is displayed. I didn't expect this to work
correctly the first time I configured it, and it's not, but my problem is
that I can't figure out how to debug it at all. The
Logger I have configured in the webapp's Context does nothing - doesn't
create the log file and nothing is logged
anywhere else either. How can I further debug it?
Now, if I take the Realm out of the Context (applying it to the entire
server), I get an exception in my catalina_log:
2005-04-22 15:26:10 JDBCRealm[Standalone]: Exception performing
authentication
java.sql.SQLException: org.gjt.mm.mysql.Driver
at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:588)
at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:343)
Though it doesn't say it precisely, I think this implies that it's not
connecting to the DB, but the db, user and password values are all correct.
Basically, I have three problems: why can't I get logging to work from
within a specific context, am I doing something wrong in my attempt
to get JDBCRealm authentication to work, and what is the right way to debug
the problem further, if the solution isn't obvious?
Also, I've added to my webapp's web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Users</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Some Stuff
</description>
<role-name>users</role-name>
</security-role>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by joelsherriff <jo...@comcast.net>.
There's a light at the end of this tunnel - I've got it mostly working - via
a browser anyway. My previous trivial
problem was the imports of the CA and cert signed by that CA needed to be in
the opposite order - CA first, then
cert - so that keytool would accept the cert.
My next, and hopefully last problem is that I can't seem to get the command
to install the client cert in the java keystore correct. I tried
just a simple
keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
client1.pem -alias myalias
But with or without this my java client can't connect - tomcat gives a
"certificate_unknown" exception. The instructions I've been using don't
mention what to do to get the client cert in the java keystore. They only
say:
create client cert request
have the ca sign it
generate a pkcs12 file form it
import the pkcs12 into the browser
nothing about importing the client cert into the java keystore.
Is there some other step I need to perform before/instead of importing the
.pem into the cacerts file?
----- Original Message -----
From: "joelsherriff" <jo...@comcast.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Saturday, March 26, 2005 9:07 PM
Subject: Re: Help with SSL & Cert config
>
> > > #Import the CA certificate into the JDK certificate authorities
> keystore:
> > > keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
> > > ca.pem -alias myalias -keypass changeit
> > >
> >
> > This is either/or with truststoreFile (which, since you are using 4.1.x,
> is
> > done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3
&
> 5
> > it's configured like keystoreFile). However, you need to trust your CA
> cert
> > (i.e. -trustcacerts).
>
> So if I understand you correctly, I need to add a -trustcacerts flag to
the
> keytool command above
> that imports the CA cert? And, since I am using 4.1 I do need
> the -Djavax.net.ssl.trustStore=... in
> my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the
> Coyote connector?
> Not trying to be dense (I come by that naturally), just want to be clear.
>
> > This (and everything I've said before) is assuming that you're using the
> > Coyote Connector. I don't really remember how the (deprecated)
> > Http11Connector works (and don't care enough to look it up :).
>
> Assumption correct.
>
> > > # Create a file to hold CA's serial numbers.
> > > echo "02" > ca.srl
> > >
> > > # Create a keystore for web server.
> > > keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg,
> > > L=New
> > > York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass
> > > changeit -keysize 1024 -keystore server.keystore -storetype JKS
> > >
> > > # Create a certificate request for web server:
> > > keytool -certreq -keyalg RSA -alias tomcat-sv -file
server.csr -keystore
> > > server.keystore -storepass changeit
> > >
> > > # Sign the certificate request:
> > > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> > > server.csr -out server.crt -days 365
> > >
> > > # Import the signed server certificate into the server keystore:
> > > keytool -import -alias tomcat-sv -keystore
> > > server.keystore -trustcacerts -file server.crt -storepass changeit
> > >
> >
> > It's good practice to import the server CA as well, so that JSSE can
send
> > the entire chain, but at this point, I imagine you just want it to work
> ;-).
>
> You can say that again. But, when you say the "server CA", which file are
> you referring to?
>
> > It's also necessary if you are pointing your truststore to your
keystore.
> >
> > > I get a 'Failed to establish chain from reply' exception at his point.
> > >
> >
> > Since you re-created your CA, you would need to re-import it into your
> > browser. However, I'm guessing that it's because of the lack of trust
> > mentioned above.
> >
> > >
> > >
> > > ----- Original Message -----
> > > From: "joelsherriff" <jo...@comcast.net>
> > > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > > Sent: Saturday, March 26, 2005 11:24 AM
> > > Subject: Re: Help with SSL & Cert config
> > >
> > >
> > >> Ah. Thanks for the help, truly, but I'm still not getting there. I
> > > didn't
> > >> even know about the truststoreFile so I googled it and saw mention
that
> > > the
> > >> easiest thing to do is to set the truststoreFile = the keystoreFile,
> > >> since
> > >> that already has the CA cert in it. So, I tried setting
truststoreFile
> > >> to
> > >> point to my keystoreFile in server.xml. That didn't help. Then I
saw
> > > that
> > >> there might be issues with setting truststoreFile in the server.xml
in
> > >> Tomcat 4.1 so I set it in CATALINA_OPTS like:
> > >>
> > >> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat
> > >> 4.1/conf/server.keystore"
> > >>
> > >> and that didn't help either. Anything else I'm missing?
> > >>
> > >>
> > >> ----- Original Message -----
> > >> From: "Bill Barker" <wb...@wilshire.com>
> > >> To: <to...@jakarta.apache.org>
> > >> Sent: Friday, March 25, 2005 10:13 PM
> > >> Subject: Re: Help with SSL & Cert config
> > >>
> > >>
> > >> >
> > >> > "joelsherriff" <jo...@comcast.net> wrote in message
> > >> > news:005f01c531a6$88850bc0$6701a8c0@akumac...
> > >> > >I thought that's what this step:
> > >> > >
> > >> > > # Import the CA certificate into the server keystore:
> > >> > > keytool -import -alias my_ca_alias -keystore
> > >> > > server.keystore -trustcacerts -file ca.pem -keypass changeit
> > >> > >
> > >> > > was doing. No?
> > >> > >
> > >> >
> > >> > No. That's putting it into your keystoreFile. The keystoreFile is
> to
> > >> > identify you. The truststoreFile is to identify other people.
> > >> >
> > >> > > ----- Original Message -----
> > >> > > From: "Bill Barker" <wb...@wilshire.com>
> > >> > > To: <to...@jakarta.apache.org>
> > >> > > Sent: Friday, March 25, 2005 8:51 PM
> > >> > > Subject: Re: Help with SSL & Cert config
> > >> > >
> > >> > >
> > >> > >> You need to put your CA cert into your Tomcat truststoreFile.
> > >> Otherwise,
> > >> > >> you client's cert won't be trusted.
> > >> > >>
> > >> > >> "joelsherriff" <jo...@comcast.net> wrote in message
> > >> > >> news:072801c5316b$21557ec0$6701a8c0@akumac...
> > >> > >> I'm resending this message because a) for some reason I didn't
see
> > >> > >> it
> > >> on
> > >> > > the
> > >> > >> list after I sent it and b) I never got any responses (maybe
> because
> > > of
> > >> > >> _a_). So, if my original post did actually make it to the list,
> > > please
> > >> > >> forgive the re-post.
> > >> > >>
> > >> > >> Hope someone can help. I've searched through the archives and
> this
> > >> seems
> > >> > > to
> > >> > >> be a common problem, but even detailed instructions
> > >> > >> have left me stumped. I'm trying to get client certificates to
be
> > >> > > required
> > >> > >> by tomcat by setting clientAuth=true but I can't seem to figure
> out
> > > how
> > >> > >> to get the client certificate to be accepted once I do that.
> Here's
> > >> what
> > >> > >> I've done to generate all the appropriate files (parts coped
from
> > >> > >> other posts to this list):
> > >> > >>
> > >> > >> Further elaboration of what we're trying to do: We want to
> require
> > >> > >> client
> > >> > >> authentication from our customers. So, IIUC, we'll have to send
> > >> > >> them
> > > a
> > >> > >> signed client cert (p12) to install in their browser and java
> > >> keystores.
> > >> > >> Again, IIUC, importing the CA certificate, that was used to sign
> the
> > >> > > client
> > >> > >> cert, into the server keystore is what tells the server to
accept
> > >> > >> the
> > >> > > client
> > >> > >> certificate presented, because it will be signed by that CA
(us).
> > >> > >> Is
> > >> my
> > >> > >> understanding correct? If so, these steps appear to be correct,
> > > unless
> > >> > > I've
> > >> > >> hosed something up along the way.
> > >> > >>
> > >> > >> # Create a private key and certificate request
> > >> > >> openssl req -new -subj "/C=US/ST=North
> > >> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out
> > >> > >> ca.csr -keyout
> > >> > >> ca.key
> > >> > >>
> > >> > >> # Create CA's self-signed certificate
> > >> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in
> > >> > >> ca.csr -out
> > >> > > ca.pem
> > >> > >>
> > >> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE"
to
> > >> > >> "CERTIFICATE"
> > >> > >> # import ca.crt into the Trusted Root Certificates Store in IE
> > >> > >>
> > >> > >> #Import the CA certificate into the JDK certificate authorities
> > >> keystore:
> > >> > >> keytool -import -keystore
> > > "%JAVA_HOME%/jre/lib/security/cacerts" -file
> > >> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
> > >> > >>
> > >> > >> # Create a file to hold CA's serial numbers.
> > >> > >> echo "02" > ca.srl
> > >> > >>
> > >> > >> # Create a keystore for the web server.
> > >> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
> > >> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg
> > >> RSA -keypass
> > >> > >> changeit -storepass changeit -keysize 1024 -keystore
> > >> > >> server.keystore -storetype JKS
> > >> > >>
> > >> > >> # Create a certificate request for the web server:
> > >> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file
> > >> server.csr -keystore
> > >> > >> server.keystore -storepass changeit
> > >> > >>
> > >> > >> # Sign the certificate request:
> > >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> > >> > >> server.csr -out server.crt -days 365
> > >> > >>
> > >> > >> # Import the signed server certificate into the server keystore:
> > >> > >> keytool -import -alias tomcat-sv -keystore
> > >> > >> server.keystore -trustcacerts -file server.crt -storepass
changeit
> > >> > >>
> > >> > >> # Import the CA certificate into the server keystore:
> > >> > >> keytool -import -alias my_ca_alias -keystore
> > >> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit
> > >> > >>
> > >> > >> # Create a client certificate request:
> > >> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
> > >> > > client1.key
> > >> > >>
> > >> > >> # Sign the client certificate.
> > >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> > >> > >> client1.req -out client1.pem -days 365
> > >> > >>
> > >> > >> # Generate a PKCS12 file containing client key and client
> > > certificate.
> > >> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey
> > > client1.key -out
> > >> > >> client1.p12 -name "Client"
> > >> > >>
> > >> > >> # Import the PKCS12 file into the web browser under Personal
> > >> Certificates
> > >> > >>
> > >> > >> # edit the server.xml file and set clientAuth=true and
> keystoreFile
> > > to
> > >> > > point
> > >> > >> to my server.keystore file.
> > >> > >>
> > >> > >> Once all this is done, neither IE nor my web app can talk to
> tomcat
> > > on
> > >> > >> the
> > >> > >> ssl port (8443)
> > >> > >>
> > >> > >>
> > >> > >>
> > >> > >>
> > >> >
> >> ---------------------------------------------------------------------
> > >> > >> To unsubscribe, e-mail:
tomcat-user-unsubscribe@jakarta.apache.org
> > >> > >> For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
> > >> > >>
> > >> > >>
> > >> >
> > >> >
> > >> >
> > >> >
> > >>
> ---------------------------------------------------------------------
> > >> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >> > For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
> > >> >
> > >> >
> > >>
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >>
> > >>
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by joelsherriff <jo...@comcast.net>.
> > #Import the CA certificate into the JDK certificate authorities
keystore:
> > keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
> > ca.pem -alias myalias -keypass changeit
> >
>
> This is either/or with truststoreFile (which, since you are using 4.1.x,
is
> done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 &
5
> it's configured like keystoreFile). However, you need to trust your CA
cert
> (i.e. -trustcacerts).
So if I understand you correctly, I need to add a -trustcacerts flag to the
keytool command above
that imports the CA cert? And, since I am using 4.1 I do need
the -Djavax.net.ssl.trustStore=... in
my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the
Coyote connector?
Not trying to be dense (I come by that naturally), just want to be clear.
> This (and everything I've said before) is assuming that you're using the
> Coyote Connector. I don't really remember how the (deprecated)
> Http11Connector works (and don't care enough to look it up :).
Assumption correct.
> > # Create a file to hold CA's serial numbers.
> > echo "02" > ca.srl
> >
> > # Create a keystore for web server.
> > keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg,
> > L=New
> > York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass
> > changeit -keysize 1024 -keystore server.keystore -storetype JKS
> >
> > # Create a certificate request for web server:
> > keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore
> > server.keystore -storepass changeit
> >
> > # Sign the certificate request:
> > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> > server.csr -out server.crt -days 365
> >
> > # Import the signed server certificate into the server keystore:
> > keytool -import -alias tomcat-sv -keystore
> > server.keystore -trustcacerts -file server.crt -storepass changeit
> >
>
> It's good practice to import the server CA as well, so that JSSE can send
> the entire chain, but at this point, I imagine you just want it to work
;-).
You can say that again. But, when you say the "server CA", which file are
you referring to?
> It's also necessary if you are pointing your truststore to your keystore.
>
> > I get a 'Failed to establish chain from reply' exception at his point.
> >
>
> Since you re-created your CA, you would need to re-import it into your
> browser. However, I'm guessing that it's because of the lack of trust
> mentioned above.
>
> >
> >
> > ----- Original Message -----
> > From: "joelsherriff" <jo...@comcast.net>
> > To: "Tomcat Users List" <to...@jakarta.apache.org>
> > Sent: Saturday, March 26, 2005 11:24 AM
> > Subject: Re: Help with SSL & Cert config
> >
> >
> >> Ah. Thanks for the help, truly, but I'm still not getting there. I
> > didn't
> >> even know about the truststoreFile so I googled it and saw mention that
> > the
> >> easiest thing to do is to set the truststoreFile = the keystoreFile,
> >> since
> >> that already has the CA cert in it. So, I tried setting truststoreFile
> >> to
> >> point to my keystoreFile in server.xml. That didn't help. Then I saw
> > that
> >> there might be issues with setting truststoreFile in the server.xml in
> >> Tomcat 4.1 so I set it in CATALINA_OPTS like:
> >>
> >> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat
> >> 4.1/conf/server.keystore"
> >>
> >> and that didn't help either. Anything else I'm missing?
> >>
> >>
> >> ----- Original Message -----
> >> From: "Bill Barker" <wb...@wilshire.com>
> >> To: <to...@jakarta.apache.org>
> >> Sent: Friday, March 25, 2005 10:13 PM
> >> Subject: Re: Help with SSL & Cert config
> >>
> >>
> >> >
> >> > "joelsherriff" <jo...@comcast.net> wrote in message
> >> > news:005f01c531a6$88850bc0$6701a8c0@akumac...
> >> > >I thought that's what this step:
> >> > >
> >> > > # Import the CA certificate into the server keystore:
> >> > > keytool -import -alias my_ca_alias -keystore
> >> > > server.keystore -trustcacerts -file ca.pem -keypass changeit
> >> > >
> >> > > was doing. No?
> >> > >
> >> >
> >> > No. That's putting it into your keystoreFile. The keystoreFile is
to
> >> > identify you. The truststoreFile is to identify other people.
> >> >
> >> > > ----- Original Message -----
> >> > > From: "Bill Barker" <wb...@wilshire.com>
> >> > > To: <to...@jakarta.apache.org>
> >> > > Sent: Friday, March 25, 2005 8:51 PM
> >> > > Subject: Re: Help with SSL & Cert config
> >> > >
> >> > >
> >> > >> You need to put your CA cert into your Tomcat truststoreFile.
> >> Otherwise,
> >> > >> you client's cert won't be trusted.
> >> > >>
> >> > >> "joelsherriff" <jo...@comcast.net> wrote in message
> >> > >> news:072801c5316b$21557ec0$6701a8c0@akumac...
> >> > >> I'm resending this message because a) for some reason I didn't see
> >> > >> it
> >> on
> >> > > the
> >> > >> list after I sent it and b) I never got any responses (maybe
because
> > of
> >> > >> _a_). So, if my original post did actually make it to the list,
> > please
> >> > >> forgive the re-post.
> >> > >>
> >> > >> Hope someone can help. I've searched through the archives and
this
> >> seems
> >> > > to
> >> > >> be a common problem, but even detailed instructions
> >> > >> have left me stumped. I'm trying to get client certificates to be
> >> > > required
> >> > >> by tomcat by setting clientAuth=true but I can't seem to figure
out
> > how
> >> > >> to get the client certificate to be accepted once I do that.
Here's
> >> what
> >> > >> I've done to generate all the appropriate files (parts coped from
> >> > >> other posts to this list):
> >> > >>
> >> > >> Further elaboration of what we're trying to do: We want to
require
> >> > >> client
> >> > >> authentication from our customers. So, IIUC, we'll have to send
> >> > >> them
> > a
> >> > >> signed client cert (p12) to install in their browser and java
> >> keystores.
> >> > >> Again, IIUC, importing the CA certificate, that was used to sign
the
> >> > > client
> >> > >> cert, into the server keystore is what tells the server to accept
> >> > >> the
> >> > > client
> >> > >> certificate presented, because it will be signed by that CA (us).
> >> > >> Is
> >> my
> >> > >> understanding correct? If so, these steps appear to be correct,
> > unless
> >> > > I've
> >> > >> hosed something up along the way.
> >> > >>
> >> > >> # Create a private key and certificate request
> >> > >> openssl req -new -subj "/C=US/ST=North
> >> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out
> >> > >> ca.csr -keyout
> >> > >> ca.key
> >> > >>
> >> > >> # Create CA's self-signed certificate
> >> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in
> >> > >> ca.csr -out
> >> > > ca.pem
> >> > >>
> >> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
> >> > >> "CERTIFICATE"
> >> > >> # import ca.crt into the Trusted Root Certificates Store in IE
> >> > >>
> >> > >> #Import the CA certificate into the JDK certificate authorities
> >> keystore:
> >> > >> keytool -import -keystore
> > "%JAVA_HOME%/jre/lib/security/cacerts" -file
> >> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
> >> > >>
> >> > >> # Create a file to hold CA's serial numbers.
> >> > >> echo "02" > ca.srl
> >> > >>
> >> > >> # Create a keystore for the web server.
> >> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
> >> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg
> >> RSA -keypass
> >> > >> changeit -storepass changeit -keysize 1024 -keystore
> >> > >> server.keystore -storetype JKS
> >> > >>
> >> > >> # Create a certificate request for the web server:
> >> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file
> >> server.csr -keystore
> >> > >> server.keystore -storepass changeit
> >> > >>
> >> > >> # Sign the certificate request:
> >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> >> > >> server.csr -out server.crt -days 365
> >> > >>
> >> > >> # Import the signed server certificate into the server keystore:
> >> > >> keytool -import -alias tomcat-sv -keystore
> >> > >> server.keystore -trustcacerts -file server.crt -storepass changeit
> >> > >>
> >> > >> # Import the CA certificate into the server keystore:
> >> > >> keytool -import -alias my_ca_alias -keystore
> >> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit
> >> > >>
> >> > >> # Create a client certificate request:
> >> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
> >> > > client1.key
> >> > >>
> >> > >> # Sign the client certificate.
> >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> >> > >> client1.req -out client1.pem -days 365
> >> > >>
> >> > >> # Generate a PKCS12 file containing client key and client
> > certificate.
> >> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey
> > client1.key -out
> >> > >> client1.p12 -name "Client"
> >> > >>
> >> > >> # Import the PKCS12 file into the web browser under Personal
> >> Certificates
> >> > >>
> >> > >> # edit the server.xml file and set clientAuth=true and
keystoreFile
> > to
> >> > > point
> >> > >> to my server.keystore file.
> >> > >>
> >> > >> Once all this is done, neither IE nor my web app can talk to
tomcat
> > on
> >> > >> the
> >> > >> ssl port (8443)
> >> > >>
> >> > >>
> >> > >>
> >> > >>
> >> >
>> ---------------------------------------------------------------------
> >> > >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> > >> For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
> >> > >>
> >> > >>
> >> >
> >> >
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >> >
> >> >
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by Bill Barker <wb...@wilshire.com>.
"joelsherriff" <jo...@comcast.net> wrote in message
news:008001c5323b$83ee29d0$6701a8c0@akumac...
> Well I have more info now. I turned on debugging and saw that I'm getting
> a
> 'null cert chain' SSLHandshakeException. So,
> I started from scratch and went through each of my steps one by one and
> I've
> apparently got one of them wrong. Now when
> I do these steps:
>
> # Create a private key and certificate request for your own CA:
> openssl req -new -subj "/C=US/ST=New York/L=New York/CN=akuma-c" -newkey
> rsa:1024 -nodes -out ca.csr -keyout ca.key
>
> # Create CA's self-signed certificate
> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out
> ca.pem
>
> #Import the CA certificate into the JDK certificate authorities keystore:
> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
> ca.pem -alias myalias -keypass changeit
>
This is either/or with truststoreFile (which, since you are using 4.1.x, is
done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 & 5
it's configured like keystoreFile). However, you need to trust your CA cert
(i.e. -trustcacerts).
This (and everything I've said before) is assuming that you're using the
Coyote Connector. I don't really remember how the (deprecated)
Http11Connector works (and don't care enough to look it up :).
> # Create a file to hold CA's serial numbers.
> echo "02" > ca.srl
>
> # Create a keystore for web server.
> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg,
> L=New
> York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass
> changeit -keysize 1024 -keystore server.keystore -storetype JKS
>
> # Create a certificate request for web server:
> keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore
> server.keystore -storepass changeit
>
> # Sign the certificate request:
> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> server.csr -out server.crt -days 365
>
> # Import the signed server certificate into the server keystore:
> keytool -import -alias tomcat-sv -keystore
> server.keystore -trustcacerts -file server.crt -storepass changeit
>
It's good practice to import the server CA as well, so that JSSE can send
the entire chain, but at this point, I imagine you just want it to work ;-).
It's also necessary if you are pointing your truststore to your keystore.
> I get a 'Failed to establish chain from reply' exception at his point.
>
Since you re-created your CA, you would need to re-import it into your
browser. However, I'm guessing that it's because of the lack of trust
mentioned above.
>
>
> ----- Original Message -----
> From: "joelsherriff" <jo...@comcast.net>
> To: "Tomcat Users List" <to...@jakarta.apache.org>
> Sent: Saturday, March 26, 2005 11:24 AM
> Subject: Re: Help with SSL & Cert config
>
>
>> Ah. Thanks for the help, truly, but I'm still not getting there. I
> didn't
>> even know about the truststoreFile so I googled it and saw mention that
> the
>> easiest thing to do is to set the truststoreFile = the keystoreFile,
>> since
>> that already has the CA cert in it. So, I tried setting truststoreFile
>> to
>> point to my keystoreFile in server.xml. That didn't help. Then I saw
> that
>> there might be issues with setting truststoreFile in the server.xml in
>> Tomcat 4.1 so I set it in CATALINA_OPTS like:
>>
>> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat
>> 4.1/conf/server.keystore"
>>
>> and that didn't help either. Anything else I'm missing?
>>
>>
>> ----- Original Message -----
>> From: "Bill Barker" <wb...@wilshire.com>
>> To: <to...@jakarta.apache.org>
>> Sent: Friday, March 25, 2005 10:13 PM
>> Subject: Re: Help with SSL & Cert config
>>
>>
>> >
>> > "joelsherriff" <jo...@comcast.net> wrote in message
>> > news:005f01c531a6$88850bc0$6701a8c0@akumac...
>> > >I thought that's what this step:
>> > >
>> > > # Import the CA certificate into the server keystore:
>> > > keytool -import -alias my_ca_alias -keystore
>> > > server.keystore -trustcacerts -file ca.pem -keypass changeit
>> > >
>> > > was doing. No?
>> > >
>> >
>> > No. That's putting it into your keystoreFile. The keystoreFile is to
>> > identify you. The truststoreFile is to identify other people.
>> >
>> > > ----- Original Message -----
>> > > From: "Bill Barker" <wb...@wilshire.com>
>> > > To: <to...@jakarta.apache.org>
>> > > Sent: Friday, March 25, 2005 8:51 PM
>> > > Subject: Re: Help with SSL & Cert config
>> > >
>> > >
>> > >> You need to put your CA cert into your Tomcat truststoreFile.
>> Otherwise,
>> > >> you client's cert won't be trusted.
>> > >>
>> > >> "joelsherriff" <jo...@comcast.net> wrote in message
>> > >> news:072801c5316b$21557ec0$6701a8c0@akumac...
>> > >> I'm resending this message because a) for some reason I didn't see
>> > >> it
>> on
>> > > the
>> > >> list after I sent it and b) I never got any responses (maybe because
> of
>> > >> _a_). So, if my original post did actually make it to the list,
> please
>> > >> forgive the re-post.
>> > >>
>> > >> Hope someone can help. I've searched through the archives and this
>> seems
>> > > to
>> > >> be a common problem, but even detailed instructions
>> > >> have left me stumped. I'm trying to get client certificates to be
>> > > required
>> > >> by tomcat by setting clientAuth=true but I can't seem to figure out
> how
>> > >> to get the client certificate to be accepted once I do that. Here's
>> what
>> > >> I've done to generate all the appropriate files (parts coped from
>> > >> other posts to this list):
>> > >>
>> > >> Further elaboration of what we're trying to do: We want to require
>> > >> client
>> > >> authentication from our customers. So, IIUC, we'll have to send
>> > >> them
> a
>> > >> signed client cert (p12) to install in their browser and java
>> keystores.
>> > >> Again, IIUC, importing the CA certificate, that was used to sign the
>> > > client
>> > >> cert, into the server keystore is what tells the server to accept
>> > >> the
>> > > client
>> > >> certificate presented, because it will be signed by that CA (us).
>> > >> Is
>> my
>> > >> understanding correct? If so, these steps appear to be correct,
> unless
>> > > I've
>> > >> hosed something up along the way.
>> > >>
>> > >> # Create a private key and certificate request
>> > >> openssl req -new -subj "/C=US/ST=North
>> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out
>> > >> ca.csr -keyout
>> > >> ca.key
>> > >>
>> > >> # Create CA's self-signed certificate
>> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in
>> > >> ca.csr -out
>> > > ca.pem
>> > >>
>> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
>> > >> "CERTIFICATE"
>> > >> # import ca.crt into the Trusted Root Certificates Store in IE
>> > >>
>> > >> #Import the CA certificate into the JDK certificate authorities
>> keystore:
>> > >> keytool -import -keystore
> "%JAVA_HOME%/jre/lib/security/cacerts" -file
>> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
>> > >>
>> > >> # Create a file to hold CA's serial numbers.
>> > >> echo "02" > ca.srl
>> > >>
>> > >> # Create a keystore for the web server.
>> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
>> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg
>> RSA -keypass
>> > >> changeit -storepass changeit -keysize 1024 -keystore
>> > >> server.keystore -storetype JKS
>> > >>
>> > >> # Create a certificate request for the web server:
>> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file
>> server.csr -keystore
>> > >> server.keystore -storepass changeit
>> > >>
>> > >> # Sign the certificate request:
>> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
>> > >> server.csr -out server.crt -days 365
>> > >>
>> > >> # Import the signed server certificate into the server keystore:
>> > >> keytool -import -alias tomcat-sv -keystore
>> > >> server.keystore -trustcacerts -file server.crt -storepass changeit
>> > >>
>> > >> # Import the CA certificate into the server keystore:
>> > >> keytool -import -alias my_ca_alias -keystore
>> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit
>> > >>
>> > >> # Create a client certificate request:
>> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
>> > > client1.key
>> > >>
>> > >> # Sign the client certificate.
>> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
>> > >> client1.req -out client1.pem -days 365
>> > >>
>> > >> # Generate a PKCS12 file containing client key and client
> certificate.
>> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey
> client1.key -out
>> > >> client1.p12 -name "Client"
>> > >>
>> > >> # Import the PKCS12 file into the web browser under Personal
>> Certificates
>> > >>
>> > >> # edit the server.xml file and set clientAuth=true and keystoreFile
> to
>> > > point
>> > >> to my server.keystore file.
>> > >>
>> > >> Once all this is done, neither IE nor my web app can talk to tomcat
> on
>> > >> the
>> > >> ssl port (8443)
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> ---------------------------------------------------------------------
>> > >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> > >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> > >>
>> > >>
>> >
>> >
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>> >
>> >
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by joelsherriff <jo...@comcast.net>.
Well I have more info now. I turned on debugging and saw that I'm getting a
'null cert chain' SSLHandshakeException. So,
I started from scratch and went through each of my steps one by one and I've
apparently got one of them wrong. Now when
I do these steps:
# Create a private key and certificate request for your own CA:
openssl req -new -subj "/C=US/ST=New York/L=New York/CN=akuma-c" -newkey
rsa:1024 -nodes -out ca.csr -keyout ca.key
# Create CA's self-signed certificate
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
#Import the CA certificate into the JDK certificate authorities keystore:
keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
ca.pem -alias myalias -keypass changeit
# Create a file to hold CA's serial numbers.
echo "02" > ca.srl
# Create a keystore for web server.
keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg, L=New
York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass
changeit -keysize 1024 -keystore server.keystore -storetype JKS
# Create a certificate request for web server:
keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore
server.keystore -storepass changeit
# Sign the certificate request:
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
server.csr -out server.crt -days 365
# Import the signed server certificate into the server keystore:
keytool -import -alias tomcat-sv -keystore
server.keystore -trustcacerts -file server.crt -storepass changeit
I get a 'Failed to establish chain from reply' exception at his point.
----- Original Message -----
From: "joelsherriff" <jo...@comcast.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Saturday, March 26, 2005 11:24 AM
Subject: Re: Help with SSL & Cert config
> Ah. Thanks for the help, truly, but I'm still not getting there. I
didn't
> even know about the truststoreFile so I googled it and saw mention that
the
> easiest thing to do is to set the truststoreFile = the keystoreFile, since
> that already has the CA cert in it. So, I tried setting truststoreFile to
> point to my keystoreFile in server.xml. That didn't help. Then I saw
that
> there might be issues with setting truststoreFile in the server.xml in
> Tomcat 4.1 so I set it in CATALINA_OPTS like:
>
> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat
> 4.1/conf/server.keystore"
>
> and that didn't help either. Anything else I'm missing?
>
>
> ----- Original Message -----
> From: "Bill Barker" <wb...@wilshire.com>
> To: <to...@jakarta.apache.org>
> Sent: Friday, March 25, 2005 10:13 PM
> Subject: Re: Help with SSL & Cert config
>
>
> >
> > "joelsherriff" <jo...@comcast.net> wrote in message
> > news:005f01c531a6$88850bc0$6701a8c0@akumac...
> > >I thought that's what this step:
> > >
> > > # Import the CA certificate into the server keystore:
> > > keytool -import -alias my_ca_alias -keystore
> > > server.keystore -trustcacerts -file ca.pem -keypass changeit
> > >
> > > was doing. No?
> > >
> >
> > No. That's putting it into your keystoreFile. The keystoreFile is to
> > identify you. The truststoreFile is to identify other people.
> >
> > > ----- Original Message -----
> > > From: "Bill Barker" <wb...@wilshire.com>
> > > To: <to...@jakarta.apache.org>
> > > Sent: Friday, March 25, 2005 8:51 PM
> > > Subject: Re: Help with SSL & Cert config
> > >
> > >
> > >> You need to put your CA cert into your Tomcat truststoreFile.
> Otherwise,
> > >> you client's cert won't be trusted.
> > >>
> > >> "joelsherriff" <jo...@comcast.net> wrote in message
> > >> news:072801c5316b$21557ec0$6701a8c0@akumac...
> > >> I'm resending this message because a) for some reason I didn't see it
> on
> > > the
> > >> list after I sent it and b) I never got any responses (maybe because
of
> > >> _a_). So, if my original post did actually make it to the list,
please
> > >> forgive the re-post.
> > >>
> > >> Hope someone can help. I've searched through the archives and this
> seems
> > > to
> > >> be a common problem, but even detailed instructions
> > >> have left me stumped. I'm trying to get client certificates to be
> > > required
> > >> by tomcat by setting clientAuth=true but I can't seem to figure out
how
> > >> to get the client certificate to be accepted once I do that. Here's
> what
> > >> I've done to generate all the appropriate files (parts coped from
> > >> other posts to this list):
> > >>
> > >> Further elaboration of what we're trying to do: We want to require
> > >> client
> > >> authentication from our customers. So, IIUC, we'll have to send them
a
> > >> signed client cert (p12) to install in their browser and java
> keystores.
> > >> Again, IIUC, importing the CA certificate, that was used to sign the
> > > client
> > >> cert, into the server keystore is what tells the server to accept the
> > > client
> > >> certificate presented, because it will be signed by that CA (us). Is
> my
> > >> understanding correct? If so, these steps appear to be correct,
unless
> > > I've
> > >> hosed something up along the way.
> > >>
> > >> # Create a private key and certificate request
> > >> openssl req -new -subj "/C=US/ST=North
> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out
> > >> ca.csr -keyout
> > >> ca.key
> > >>
> > >> # Create CA's self-signed certificate
> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out
> > > ca.pem
> > >>
> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
> > >> "CERTIFICATE"
> > >> # import ca.crt into the Trusted Root Certificates Store in IE
> > >>
> > >> #Import the CA certificate into the JDK certificate authorities
> keystore:
> > >> keytool -import -keystore
"%JAVA_HOME%/jre/lib/security/cacerts" -file
> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
> > >>
> > >> # Create a file to hold CA's serial numbers.
> > >> echo "02" > ca.srl
> > >>
> > >> # Create a keystore for the web server.
> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg
> RSA -keypass
> > >> changeit -storepass changeit -keysize 1024 -keystore
> > >> server.keystore -storetype JKS
> > >>
> > >> # Create a certificate request for the web server:
> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file
> server.csr -keystore
> > >> server.keystore -storepass changeit
> > >>
> > >> # Sign the certificate request:
> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> > >> server.csr -out server.crt -days 365
> > >>
> > >> # Import the signed server certificate into the server keystore:
> > >> keytool -import -alias tomcat-sv -keystore
> > >> server.keystore -trustcacerts -file server.crt -storepass changeit
> > >>
> > >> # Import the CA certificate into the server keystore:
> > >> keytool -import -alias my_ca_alias -keystore
> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit
> > >>
> > >> # Create a client certificate request:
> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
> > > client1.key
> > >>
> > >> # Sign the client certificate.
> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> > >> client1.req -out client1.pem -days 365
> > >>
> > >> # Generate a PKCS12 file containing client key and client
certificate.
> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey
client1.key -out
> > >> client1.p12 -name "Client"
> > >>
> > >> # Import the PKCS12 file into the web browser under Personal
> Certificates
> > >>
> > >> # edit the server.xml file and set clientAuth=true and keystoreFile
to
> > > point
> > >> to my server.keystore file.
> > >>
> > >> Once all this is done, neither IE nor my web app can talk to tomcat
on
> > >> the
> > >> ssl port (8443)
> > >>
> > >>
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > >>
> > >>
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by joelsherriff <jo...@comcast.net>.
Ah. Thanks for the help, truly, but I'm still not getting there. I didn't
even know about the truststoreFile so I googled it and saw mention that the
easiest thing to do is to set the truststoreFile = the keystoreFile, since
that already has the CA cert in it. So, I tried setting truststoreFile to
point to my keystoreFile in server.xml. That didn't help. Then I saw that
there might be issues with setting truststoreFile in the server.xml in
Tomcat 4.1 so I set it in CATALINA_OPTS like:
-Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat
4.1/conf/server.keystore"
and that didn't help either. Anything else I'm missing?
----- Original Message -----
From: "Bill Barker" <wb...@wilshire.com>
To: <to...@jakarta.apache.org>
Sent: Friday, March 25, 2005 10:13 PM
Subject: Re: Help with SSL & Cert config
>
> "joelsherriff" <jo...@comcast.net> wrote in message
> news:005f01c531a6$88850bc0$6701a8c0@akumac...
> >I thought that's what this step:
> >
> > # Import the CA certificate into the server keystore:
> > keytool -import -alias my_ca_alias -keystore
> > server.keystore -trustcacerts -file ca.pem -keypass changeit
> >
> > was doing. No?
> >
>
> No. That's putting it into your keystoreFile. The keystoreFile is to
> identify you. The truststoreFile is to identify other people.
>
> > ----- Original Message -----
> > From: "Bill Barker" <wb...@wilshire.com>
> > To: <to...@jakarta.apache.org>
> > Sent: Friday, March 25, 2005 8:51 PM
> > Subject: Re: Help with SSL & Cert config
> >
> >
> >> You need to put your CA cert into your Tomcat truststoreFile.
Otherwise,
> >> you client's cert won't be trusted.
> >>
> >> "joelsherriff" <jo...@comcast.net> wrote in message
> >> news:072801c5316b$21557ec0$6701a8c0@akumac...
> >> I'm resending this message because a) for some reason I didn't see it
on
> > the
> >> list after I sent it and b) I never got any responses (maybe because of
> >> _a_). So, if my original post did actually make it to the list, please
> >> forgive the re-post.
> >>
> >> Hope someone can help. I've searched through the archives and this
seems
> > to
> >> be a common problem, but even detailed instructions
> >> have left me stumped. I'm trying to get client certificates to be
> > required
> >> by tomcat by setting clientAuth=true but I can't seem to figure out how
> >> to get the client certificate to be accepted once I do that. Here's
what
> >> I've done to generate all the appropriate files (parts coped from
> >> other posts to this list):
> >>
> >> Further elaboration of what we're trying to do: We want to require
> >> client
> >> authentication from our customers. So, IIUC, we'll have to send them a
> >> signed client cert (p12) to install in their browser and java
keystores.
> >> Again, IIUC, importing the CA certificate, that was used to sign the
> > client
> >> cert, into the server keystore is what tells the server to accept the
> > client
> >> certificate presented, because it will be signed by that CA (us). Is
my
> >> understanding correct? If so, these steps appear to be correct, unless
> > I've
> >> hosed something up along the way.
> >>
> >> # Create a private key and certificate request
> >> openssl req -new -subj "/C=US/ST=North
> >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out
> >> ca.csr -keyout
> >> ca.key
> >>
> >> # Create CA's self-signed certificate
> >> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out
> > ca.pem
> >>
> >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
> >> "CERTIFICATE"
> >> # import ca.crt into the Trusted Root Certificates Store in IE
> >>
> >> #Import the CA certificate into the JDK certificate authorities
keystore:
> >> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
> >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
> >>
> >> # Create a file to hold CA's serial numbers.
> >> echo "02" > ca.srl
> >>
> >> # Create a keystore for the web server.
> >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
> >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg
RSA -keypass
> >> changeit -storepass changeit -keysize 1024 -keystore
> >> server.keystore -storetype JKS
> >>
> >> # Create a certificate request for the web server:
> >> keytool -certreq -keyalg RSA -alias tomcat-sv -file
server.csr -keystore
> >> server.keystore -storepass changeit
> >>
> >> # Sign the certificate request:
> >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> >> server.csr -out server.crt -days 365
> >>
> >> # Import the signed server certificate into the server keystore:
> >> keytool -import -alias tomcat-sv -keystore
> >> server.keystore -trustcacerts -file server.crt -storepass changeit
> >>
> >> # Import the CA certificate into the server keystore:
> >> keytool -import -alias my_ca_alias -keystore
> >> server.keystore -trustcacerts -file ca.pem -keypass changeit
> >>
> >> # Create a client certificate request:
> >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
> > client1.key
> >>
> >> # Sign the client certificate.
> >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> >> client1.req -out client1.pem -days 365
> >>
> >> # Generate a PKCS12 file containing client key and client certificate.
> >> openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out
> >> client1.p12 -name "Client"
> >>
> >> # Import the PKCS12 file into the web browser under Personal
Certificates
> >>
> >> # edit the server.xml file and set clientAuth=true and keystoreFile to
> > point
> >> to my server.keystore file.
> >>
> >> Once all this is done, neither IE nor my web app can talk to tomcat on
> >> the
> >> ssl port (8443)
> >>
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by Bill Barker <wb...@wilshire.com>.
"joelsherriff" <jo...@comcast.net> wrote in message
news:005f01c531a6$88850bc0$6701a8c0@akumac...
>I thought that's what this step:
>
> # Import the CA certificate into the server keystore:
> keytool -import -alias my_ca_alias -keystore
> server.keystore -trustcacerts -file ca.pem -keypass changeit
>
> was doing. No?
>
No. That's putting it into your keystoreFile. The keystoreFile is to
identify you. The truststoreFile is to identify other people.
> ----- Original Message -----
> From: "Bill Barker" <wb...@wilshire.com>
> To: <to...@jakarta.apache.org>
> Sent: Friday, March 25, 2005 8:51 PM
> Subject: Re: Help with SSL & Cert config
>
>
>> You need to put your CA cert into your Tomcat truststoreFile. Otherwise,
>> you client's cert won't be trusted.
>>
>> "joelsherriff" <jo...@comcast.net> wrote in message
>> news:072801c5316b$21557ec0$6701a8c0@akumac...
>> I'm resending this message because a) for some reason I didn't see it on
> the
>> list after I sent it and b) I never got any responses (maybe because of
>> _a_). So, if my original post did actually make it to the list, please
>> forgive the re-post.
>>
>> Hope someone can help. I've searched through the archives and this seems
> to
>> be a common problem, but even detailed instructions
>> have left me stumped. I'm trying to get client certificates to be
> required
>> by tomcat by setting clientAuth=true but I can't seem to figure out how
>> to get the client certificate to be accepted once I do that. Here's what
>> I've done to generate all the appropriate files (parts coped from
>> other posts to this list):
>>
>> Further elaboration of what we're trying to do: We want to require
>> client
>> authentication from our customers. So, IIUC, we'll have to send them a
>> signed client cert (p12) to install in their browser and java keystores.
>> Again, IIUC, importing the CA certificate, that was used to sign the
> client
>> cert, into the server keystore is what tells the server to accept the
> client
>> certificate presented, because it will be signed by that CA (us). Is my
>> understanding correct? If so, these steps appear to be correct, unless
> I've
>> hosed something up along the way.
>>
>> # Create a private key and certificate request
>> openssl req -new -subj "/C=US/ST=North
>> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out
>> ca.csr -keyout
>> ca.key
>>
>> # Create CA's self-signed certificate
>> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out
> ca.pem
>>
>> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
>> "CERTIFICATE"
>> # import ca.crt into the Trusted Root Certificates Store in IE
>>
>> #Import the CA certificate into the JDK certificate authorities keystore:
>> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
>> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
>>
>> # Create a file to hold CA's serial numbers.
>> echo "02" > ca.srl
>>
>> # Create a keystore for the web server.
>> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
>> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass
>> changeit -storepass changeit -keysize 1024 -keystore
>> server.keystore -storetype JKS
>>
>> # Create a certificate request for the web server:
>> keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore
>> server.keystore -storepass changeit
>>
>> # Sign the certificate request:
>> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
>> server.csr -out server.crt -days 365
>>
>> # Import the signed server certificate into the server keystore:
>> keytool -import -alias tomcat-sv -keystore
>> server.keystore -trustcacerts -file server.crt -storepass changeit
>>
>> # Import the CA certificate into the server keystore:
>> keytool -import -alias my_ca_alias -keystore
>> server.keystore -trustcacerts -file ca.pem -keypass changeit
>>
>> # Create a client certificate request:
>> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
> client1.key
>>
>> # Sign the client certificate.
>> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
>> client1.req -out client1.pem -days 365
>>
>> # Generate a PKCS12 file containing client key and client certificate.
>> openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out
>> client1.p12 -name "Client"
>>
>> # Import the PKCS12 file into the web browser under Personal Certificates
>>
>> # edit the server.xml file and set clientAuth=true and keystoreFile to
> point
>> to my server.keystore file.
>>
>> Once all this is done, neither IE nor my web app can talk to tomcat on
>> the
>> ssl port (8443)
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by joelsherriff <jo...@comcast.net>.
I thought that's what this step:
# Import the CA certificate into the server keystore:
keytool -import -alias my_ca_alias -keystore
server.keystore -trustcacerts -file ca.pem -keypass changeit
was doing. No?
----- Original Message -----
From: "Bill Barker" <wb...@wilshire.com>
To: <to...@jakarta.apache.org>
Sent: Friday, March 25, 2005 8:51 PM
Subject: Re: Help with SSL & Cert config
> You need to put your CA cert into your Tomcat truststoreFile. Otherwise,
> you client's cert won't be trusted.
>
> "joelsherriff" <jo...@comcast.net> wrote in message
> news:072801c5316b$21557ec0$6701a8c0@akumac...
> I'm resending this message because a) for some reason I didn't see it on
the
> list after I sent it and b) I never got any responses (maybe because of
> _a_). So, if my original post did actually make it to the list, please
> forgive the re-post.
>
> Hope someone can help. I've searched through the archives and this seems
to
> be a common problem, but even detailed instructions
> have left me stumped. I'm trying to get client certificates to be
required
> by tomcat by setting clientAuth=true but I can't seem to figure out how
> to get the client certificate to be accepted once I do that. Here's what
> I've done to generate all the appropriate files (parts coped from
> other posts to this list):
>
> Further elaboration of what we're trying to do: We want to require client
> authentication from our customers. So, IIUC, we'll have to send them a
> signed client cert (p12) to install in their browser and java keystores.
> Again, IIUC, importing the CA certificate, that was used to sign the
client
> cert, into the server keystore is what tells the server to accept the
client
> certificate presented, because it will be signed by that CA (us). Is my
> understanding correct? If so, these steps appear to be correct, unless
I've
> hosed something up along the way.
>
> # Create a private key and certificate request
> openssl req -new -subj "/C=US/ST=North
> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout
> ca.key
>
> # Create CA's self-signed certificate
> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out
ca.pem
>
> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
> "CERTIFICATE"
> # import ca.crt into the Trusted Root Certificates Store in IE
>
> #Import the CA certificate into the JDK certificate authorities keystore:
> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
>
> # Create a file to hold CA's serial numbers.
> echo "02" > ca.srl
>
> # Create a keystore for the web server.
> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass
> changeit -storepass changeit -keysize 1024 -keystore
> server.keystore -storetype JKS
>
> # Create a certificate request for the web server:
> keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore
> server.keystore -storepass changeit
>
> # Sign the certificate request:
> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> server.csr -out server.crt -days 365
>
> # Import the signed server certificate into the server keystore:
> keytool -import -alias tomcat-sv -keystore
> server.keystore -trustcacerts -file server.crt -storepass changeit
>
> # Import the CA certificate into the server keystore:
> keytool -import -alias my_ca_alias -keystore
> server.keystore -trustcacerts -file ca.pem -keypass changeit
>
> # Create a client certificate request:
> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout
client1.key
>
> # Sign the client certificate.
> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
> client1.req -out client1.pem -days 365
>
> # Generate a PKCS12 file containing client key and client certificate.
> openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out
> client1.p12 -name "Client"
>
> # Import the PKCS12 file into the web browser under Personal Certificates
>
> # edit the server.xml file and set clientAuth=true and keystoreFile to
point
> to my server.keystore file.
>
> Once all this is done, neither IE nor my web app can talk to tomcat on the
> ssl port (8443)
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Help with SSL & Cert config
Posted by Bill Barker <wb...@wilshire.com>.
You need to put your CA cert into your Tomcat truststoreFile. Otherwise,
you client's cert won't be trusted.
"joelsherriff" <jo...@comcast.net> wrote in message
news:072801c5316b$21557ec0$6701a8c0@akumac...
I'm resending this message because a) for some reason I didn't see it on the
list after I sent it and b) I never got any responses (maybe because of
_a_). So, if my original post did actually make it to the list, please
forgive the re-post.
Hope someone can help. I've searched through the archives and this seems to
be a common problem, but even detailed instructions
have left me stumped. I'm trying to get client certificates to be required
by tomcat by setting clientAuth=true but I can't seem to figure out how
to get the client certificate to be accepted once I do that. Here's what
I've done to generate all the appropriate files (parts coped from
other posts to this list):
Further elaboration of what we're trying to do: We want to require client
authentication from our customers. So, IIUC, we'll have to send them a
signed client cert (p12) to install in their browser and java keystores.
Again, IIUC, importing the CA certificate, that was used to sign the client
cert, into the server keystore is what tells the server to accept the client
certificate presented, because it will be signed by that CA (us). Is my
understanding correct? If so, these steps appear to be correct, unless I've
hosed something up along the way.
# Create a private key and certificate request
openssl req -new -subj "/C=US/ST=North
Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout
ca.key
# Create CA's self-signed certificate
openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
# Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to
"CERTIFICATE"
# import ca.crt into the Trusted Root Certificates Store in IE
#Import the CA certificate into the JDK certificate authorities keystore:
keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
ca.pem -alias my_ca_alias -keypass changeit -storepass changeit
# Create a file to hold CA's serial numbers.
echo "02" > ca.srl
# Create a keystore for the web server.
keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D,
O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass
changeit -storepass changeit -keysize 1024 -keystore
server.keystore -storetype JKS
# Create a certificate request for the web server:
keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore
server.keystore -storepass changeit
# Sign the certificate request:
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
server.csr -out server.crt -days 365
# Import the signed server certificate into the server keystore:
keytool -import -alias tomcat-sv -keystore
server.keystore -trustcacerts -file server.crt -storepass changeit
# Import the CA certificate into the server keystore:
keytool -import -alias my_ca_alias -keystore
server.keystore -trustcacerts -file ca.pem -keypass changeit
# Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key
# Sign the client certificate.
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in
client1.req -out client1.pem -days 365
# Generate a PKCS12 file containing client key and client certificate.
openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out
client1.p12 -name "Client"
# Import the PKCS12 file into the web browser under Personal Certificates
# edit the server.xml file and set clientAuth=true and keystoreFile to point
to my server.keystore file.
Once all this is done, neither IE nor my web app can talk to tomcat on the
ssl port (8443)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org