You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Donie Kelly <do...@tecnomen.ie> on 2002/12/12 13:07:34 UTC
Creating a signed SSL certificate with my own CA
Hi all
I'm really stuck here and I'd appreciate some help. To summarise, I've
followed the instructions below to generate a CA key so that I can sign my
own certificates for use with tomcat. The instructions below work and the
ca.crt and client.crs.der certs that pop out are viewable in IE. If I import
the CA key it shows the client.crs.der key with the CA above. Everything
looks great.
Then I use the testkeys with tomcat
<Connector className="org.apache.catalina.connector.http.HttpConnector"
address="192.168.1.4" port="443" enableLookups="true" scheme="https"
secure="true">
<Factory
className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" protocol="TLS" keystoreFile="c:\tomcat4.0\conf\testkeys"
keystorePass="changeit" />
</Connector>
Now when I try to connect with SLL from IE it just shows
Cannot find server or DNS Error
What am I doing wrong? Are the certs I am creating suitable for SLL with
Tomcat. I'd really appreciate some help.
Donie
PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm
Certificate Authority
In a nutshell, what I'm suggesting is that you create your own Certificate
Authority (CA) to sign your keys. This gets complicated because nothing in
the Java Development Kit or JSSE lets you set up a CA and sign keys. You
have to go elsewhere for tools to do this. I chose to go with the OpenSSL
toolkit (http://www.openssl.org/) running on Linux. There are toolsets
available from other vendors and platforms, however. If you choose to use a
different toolset, you will just have to substitute the appropriate
commands; the theory is the same no matter what.
First, you need to generate your CA's key. That key is used to sign all the
other application keys. The OpenSSL toolkit comes configured to setup a CA
from whatever directory you start it in. This means that you need to use all
the CA commands from the same directory. In the sample code, you'll find the
CA directory that I used to generate the CA key and sign all the application
keys:
1.Generate the CA key
$ openssl genrsa -rand -des -out ca.key 1024
2.Create a self signed certificate
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You are prompted for location information for the certificate. Enter
whatever you want, but make sure you enter something for each field:
3.Setup the OpenSSL CA tools
$ mkdir demoCA
$ mkdir demoCA/newcerts
$ touch demoCA/index.txt
$ cp ca.crt demoCA/
$ echo "01" > demoCA/serial
You now can create the client application's key store and export its public
key so your CA can sign it. You can enter whatever you want for all the
location information, but again make sure you enter something - standard
alphanumeric characters and spaces, but no underscores or other special
characters - for every field:
4.Create a new key store for the client application
$ keytool -keystore testkeys -genkey - alias client
When prompted, enter passphrase for the password to use this keystore with
the sample applications.
5.Export the client's public key
$ keytool -keystore testkeys -certreq -alias client -file client.crs
6.Sign the client's key with our CA key
$ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem
-keyfile ca.key -cert ca.crt
At this point, you should have a file called "client.crs.pem," which is the
signed public key. It needs to be converted to a format suitable for the
JDK's keytool command, and then imported into the testkeys keystore:
7.Convert to DER format
$ openssl x509 -in client.crs.pem -out client.crs.der -outform DER
8.Import CA certificate into client's key store
$ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt
9.Import signed key into client's key store
$ keytool -keystore testkeys -alias client -import -file client.crs.der
Step 8 must be completed so that the keytool command agrees to import the
signed key. While importing the signed key, keytool checks the signatories
to ensure that their signatures can be validated. They can be validated if
their public keys are in the key store.
Once you have completed all of these steps, move the testkeys key store to
the client directory. Start over with step 4 and create a key store for the
server process. Just substitute "server" everywhere you see "client." Make
sure you enter something different in one of the location fields
(organizational unit would be a good choice).
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Creating a signed SSL certificate with my own CA
Posted by Christoph Fischer <cf...@bb-sw.de>.
Maybe you have an entry for a special proxy-server
in you IE for SSL-connections ?
I've created a key with the keytool from j2sdk1.4.1 and it works without
problem
Chris
Donie Kelly wrote:
>Hi all
>I'm really stuck here and I'd appreciate some help. To summarise, I've
>followed the instructions below to generate a CA key so that I can sign my
>own certificates for use with tomcat. The instructions below work and the
>ca.crt and client.crs.der certs that pop out are viewable in IE. If I import
>the CA key it shows the client.crs.der key with the CA above. Everything
>looks great.
>Then I use the testkeys with tomcat
> <Connector className="org.apache.catalina.connector.http.HttpConnector"
>address="192.168.1.4" port="443" enableLookups="true" scheme="https"
>secure="true">
> <Factory
>className="org.apache.catalina.net.SSLServerSocketFactory"
>clientAuth="false" protocol="TLS" keystoreFile="c:\tomcat4.0\conf\testkeys"
> keystorePass="changeit" />
> </Connector>
>Now when I try to connect with SLL from IE it just shows
>Cannot find server or DNS Error
>What am I doing wrong? Are the certs I am creating suitable for SLL with
>Tomcat. I'd really appreciate some help.
>Donie
>
>PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm
>Certificate Authority
>In a nutshell, what I'm suggesting is that you create your own Certificate
>Authority (CA) to sign your keys. This gets complicated because nothing in
>the Java Development Kit or JSSE lets you set up a CA and sign keys. You
>have to go elsewhere for tools to do this. I chose to go with the OpenSSL
>toolkit (http://www.openssl.org/) running on Linux. There are toolsets
>available from other vendors and platforms, however. If you choose to use a
>different toolset, you will just have to substitute the appropriate
>commands; the theory is the same no matter what.
>First, you need to generate your CA's key. That key is used to sign all the
>other application keys. The OpenSSL toolkit comes configured to setup a CA
>from whatever directory you start it in. This means that you need to use all
>the CA commands from the same directory. In the sample code, you'll find the
>CA directory that I used to generate the CA key and sign all the application
>keys:
>1.Generate the CA key
>$ openssl genrsa -rand -des -out ca.key 1024
>2.Create a self signed certificate
>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>You are prompted for location information for the certificate. Enter
>whatever you want, but make sure you enter something for each field:
>3.Setup the OpenSSL CA tools
>$ mkdir demoCA
>$ mkdir demoCA/newcerts
>$ touch demoCA/index.txt
>$ cp ca.crt demoCA/
>$ echo "01" > demoCA/serial
>You now can create the client application's key store and export its public
>key so your CA can sign it. You can enter whatever you want for all the
>location information, but again make sure you enter something - standard
>alphanumeric characters and spaces, but no underscores or other special
>characters - for every field:
>4.Create a new key store for the client application
>$ keytool -keystore testkeys -genkey - alias client
>When prompted, enter passphrase for the password to use this keystore with
>the sample applications.
>5.Export the client's public key
>$ keytool -keystore testkeys -certreq -alias client -file client.crs
>6.Sign the client's key with our CA key
>$ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem
>-keyfile ca.key -cert ca.crt
>At this point, you should have a file called "client.crs.pem," which is the
>signed public key. It needs to be converted to a format suitable for the
>JDK's keytool command, and then imported into the testkeys keystore:
>7.Convert to DER format
>$ openssl x509 -in client.crs.pem -out client.crs.der -outform DER
>8.Import CA certificate into client's key store
>$ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt
>9.Import signed key into client's key store
>$ keytool -keystore testkeys -alias client -import -file client.crs.der
>Step 8 must be completed so that the keytool command agrees to import the
>signed key. While importing the signed key, keytool checks the signatories
>to ensure that their signatures can be validated. They can be validated if
>their public keys are in the key store.
>Once you have completed all of these steps, move the testkeys key store to
>the client directory. Start over with step 4 and create a key store for the
>server process. Just substitute "server" everywhere you see "client." Make
>sure you enter something different in one of the location fields
>(organizational unit would be a good choice).
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>