You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Tathagat (London)" <Ta...@DrKW.com> on 2002/07/15 16:05:35 UTC

Client Certificates with Tomcat

Hi All,
I am working with Tomcat 4. I do all the steps provided in server.xml vis:
__________________________________________________________
Step 2: Generate Client and Server Certificates
It is necessary to generate a Certificate for the client and the server.
These Certificates are then imported into a keystore, to which the client
and server connect. 
The keystore acts as a database for security certificates. 
You are going to use the keytool utility in the JDK to do these tasks (see
Sun's documentation for more information on this tool). 
Step 2a: Generate a Server Key and Certificate
Launch keytool from a shell (or command prompt) to generate your public and
private key. 
Note that the Certificate and keystore files will be generated in the
directory you run keytool from. 
Use keytool as follows: 
keytool -genkey -alias tomcat-sv -dname "CN=[Common Name],OU=[Organisation
Unit], O=[Organisation Name], L=[Locality], S=[State Name], C=[Two-Letter
Country Code]" -keyalg RSA -keypass [private key password] -storepass
[keystore password] -keystore [keystore file name] 

For example, to generate a keystore (in file server.keystore) for server
soapsvr.test.tcd.ie using password changeit (for both the keystore and the
certificate) in the Computer Engineering group at Trinity College Dublin,
Ireland, one would type the following: keytool -genkey -alias tomcat-sv
-dname "CN=soapsvr.test.tcd.ie, OU=ComputerEngineering, O=Trinity College
Dublin, L=Dublin, S=Dublin, C=IE" -keyalg RSA -keypass changeit -storepass
changeit -keystore server.keystore 

Note that 

The RSA algorithm is used to generate certificates. 
Ensure that the 'CN' field that you specify when you create the server
certificate matches the name of the machine on which you're running tomcat,
or your browser will complain about certificate name mis-matches (not a
problem on a test server, a big problem on a production server!). 
Step 2b: Export the Server Certificate
>>From command prompt run this command to export your certificate from the
keystore into an external file (we do this so we can import the certificate
into the client's keystore as a trusted certificate). 
keytool -export -alias tomcat-sv -storepass changeit -file server.cer
-keystore server.keystore 


If everything works, you should now have a file called server.cer which
contains your server's certificate. 
Step 2c: Generate a Client Key and Certificate
This step is very similar to the generation of the server key and
certificate - it uses the same keytool tool with different parameters. 
Note that the keystore file name has changed (it is now client.keystore).
Use keytool as follows: 
keytool -genkey -alias tomcat-cl -dname "CN=Client,OU=TRL, O=IBM,
L=Yamato-shi, S=Kanagawa-ken, C=JP" -keyalg RSA -keypass changeit -storepass
changeit -keystore client.keystore 

Step 2d: Export the Client Certificate
This step is very similar to the export of the server certificate - it uses
the same keytool tool with different parameters: 
keytool -export -alias tomcat-cl -storepass changeit -file client.cer
-keystore client.keystore 


If everything works, you should now have a file called client.cer which
contains your client's certificate. 
Step 2e: Import the Certificates into the Keystores
We want the client certificate to be added to the server's keystore, and the
server's certificate to be added to the client's keystore. 
Doing this will mean that the client and server trust one another. 
Import the server certificate into the client's keystore: 
keytool -import -v -trustcacerts -alias tomcat -file server.cer -keystore
client.keystore -keypass changeit -storepass changeit 
Import the client certificate into the server's keystore: keytool -import -v
-trustcacerts -alias tomcat -file client.cer -keystore server.keystore
-keypass changeit -storepass changeit
__________________________________________________________

as long as I keep clientAuth="false" in server.xml it runs fine.

But when I make it true, it looks for the client certificate, which it
obviousely can't find. How do I get the client certificate from above. What
is client.cer then?

Any clues appreciated.

Thanks and Regards
Tathagat

GBS - Legal Services
Phone: +49 (0) 69 263 16854
Fax:  +49 (0) 69 263 16540
Mobile: +49 (0) 160 98589882
Private Email: mail@tathagat.com



----------------------------------------------------------------------
If you have received this e-mail in error or wish to read our e-mail 
disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender.
----------------------------------------------------------------------


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>