SSL Client authentication

[Spiros Vazaloukas <sp...@necis.be>]

Hi all,

I am using SSL client authentication on Tomcat 4.0.1 but I am
getting some errors. I've enabled client authentication in
server.xml and I've created all the certificates.
If somebody has some experience in similar configurations
please have a look to the steps I followed and let me know
if you see something wrong:


***** Generate tomcat certificate ***************
keytool -genkey -alias tomcat -keyalg RSA
keytool -certreq -alias tomcat -file tomcat.csr

***** Generate the ca certificate ***************
openssl req -new -newkey rsa:512 -nodes - \
            out ca.req -keyout ca.key
openssl x509 -trustout -signkey ca.key -days 365 \
            -req -in ca.req -out ca.crt

***** Sign the tomcat request to generate my certificates *********
openssl x509 -CA ca.crt -CAkey ca.key -in tomcat.csr \
        -out tomcat.crt -req -CAcreateserial

************ Import both into the cacerts *******************
keytool -import -file ca.crt -alias RootCert \
        -keystore $JAVA_HOME/jre/lib/security/cacerts
keytool -import -file tomcat.crt -alias tomcat  \
        -keystore $JAVA_HOME/jre/lib/security/cacerts

*************** Generate a client certificate  ***********************
openssl req -new -newkey rsa:512 -nodes -out \
            client.req -keyout client.key
openssl x509 -CA ca.crt -CAkey ca.key -req -in
            client.req -out client.crt

But when I run the following test:
openssl s_client -cert client.crt -key client.key \
            -connect localhost:8443
I get an error:

CONNECTED(00000003)
2504:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:455:

Any idea?

Thanks
Spiros




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>