You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ron Perkins <ro...@googlemail.com> on 2009/04/20 10:14:12 UTC
Tomcat 5.5 Trust Stores and Client Authentication
Hi All,
I have done the following to create a Trust Store for Tomcat to use:
Created a keystore with new certificate:
keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore
keystore.jks -storepass changeit
Exported certificate:
keytool -export -alias mycert -file mycert.cer -keystore keystore.jks
-storepass changeit
Imported certificate into trust store:
keytool -import -v -trustcacerts alias mycert -keypass changeit -file
mycert.cer -keystore cacerts.jks -storepass changeit
Added the following Connector into server.xml to allow Client Authentication:
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="C:/keystore.jks"
keystorePass="changeit"
keystoreType="JKS"
keyAlias="mykey"
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="350"
uRIEncoding="UTF-8"
minSpareThreads="25"
clientAuth="true">
</Connector>
After starting Tomcat up, using netstat I can see that port 443 is listening...
When using IE to test the connection to the https default page I get
IE's no communication web page displayed. If I use Firefox this gives
me the following error: SSL peer cannot verify your certificate (Error
code: ssl_error_bad_cert_alert)
I was expecting a message to say that the client needs a client
certificate? I then installed the client certificate mycert.cer into
the client browsers, but has no effect and I still recevie the same
error messages.
To check that I have SSL correctly installed, if I change
clientAuth="true" to clientAuth="false" then default Tomcatwebpage is
displayed within the browsers.
What have I done wrong? I am thinking that it is the way that I have
created the Trust store that is the problem?
Thanks for any help in advance...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5 Trust Stores and Client Authentication
Posted by Hans Wahn <ha...@googlemail.com>.
>> I then installed the client certificate mycert.cer into
>> the client browsers, but has no effect and I still recevie the same
>> error messages.
Is Firefox able to authenticate itself via a client certificate
against a server? Maybe you just installed it in the truststore of
trustfull servers?
- just a thought -
cheers
Hans
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5 Trust Stores and Client Authentication
Posted by aravidu <ar...@yahoo.com>.
Did you finally figure out how to fix this issue? I am having the same issue
today..
Can you please help, if you happen to look at this? The only change is I am
using tomcat 6.0
Thanks much.
-A
Ron Perkins-2 wrote:
>
> Hi All,
>
> I have done the following to create a Trust Store for Tomcat to use:
>
> Created a keystore with new certificate:
>
> keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore
> keystore.jks -storepass changeit
>
> Exported certificate:
>
> keytool -export -alias mycert -file mycert.cer -keystore keystore.jks
> -storepass changeit
>
> Imported certificate into trust store:
>
> keytool -import -v -trustcacerts alias mycert -keypass changeit -file
> mycert.cer -keystore cacerts.jks -storepass changeit
>
> Added the following Connector into server.xml to allow Client
> Authentication:
>
> <Connector
> port="443"
> scheme="https"
> secure="true"
> keystoreFile="C:/keystore.jks"
> keystorePass="changeit"
> keystoreType="JKS"
> keyAlias="mykey"
> truststoreFile="C:/cacerts.jks"
> truststorePass="changeit"
> truststoreType="JKS"
> sslProtocol="TLS"
> maxSpareThreads="75"
> maxThreads="350"
> uRIEncoding="UTF-8"
> minSpareThreads="25"
> clientAuth="true">
> </Connector>
>
> After starting Tomcat up, using netstat I can see that port 443 is
> listening...
>
> When using IE to test the connection to the https default page I get
> IE's no communication web page displayed. If I use Firefox this gives
> me the following error: SSL peer cannot verify your certificate (Error
> code: ssl_error_bad_cert_alert)
>
> I was expecting a message to say that the client needs a client
> certificate? I then installed the client certificate mycert.cer into
> the client browsers, but has no effect and I still recevie the same
> error messages.
>
> To check that I have SSL correctly installed, if I change
> clientAuth="true" to clientAuth="false" then default Tomcatwebpage is
> displayed within the browsers.
>
> What have I done wrong? I am thinking that it is the way that I have
> created the Trust store that is the problem?
>
> Thanks for any help in advance...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/Tomcat-5.5-Trust-Stores-and-Client-Authentication-tp23132214p29486541.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5 Trust Stores and Client Authentication
Posted by Jason Smith <js...@infotrustgroup.com>.
I think by installing the .cer file, you installed the "public" part of the client certificate. A .cer file is supposed to contain the publicly distributable portion of the client certificate.
The browsers need the "private" part. That's why it's called a "client certificate". You import the .cer file into your Java JKS keystore on the server, and that lets the server know it can trust the client. You also have to set up a user account matching the certificate in tomcat-users.xml for the server portion to function. And there is a web.xml part too. You'll need to import a .p12 file that is generated as part of the whole process into the browsers. If you don't have a .p12 file handy, you need to figure out how to get one from somewhere. You double click on a .p12 file to import it into Window's keystore. FireFox also allows you to directly import a .p12 file.
-----Original Message-----
From: Jorge Medina [mailto:jmedina@e-dialog.com]
Sent: Monday, April 20, 2009 9:49 AM
To: Tomcat Users List
Subject: RE: Tomcat 5.5 Trust Stores and Client Authentication
I have not used client certificates, but in order to use SSL with
self-generated certificates you need to add your server self-signed
certificate to the trusted roots of your Windows account or computer
account. Use the "Certificates" plug-in on an MMC console to perform the
operation.
The operation above guarantees that IE can verify the identity of your
server.
When using client-certificates, you need to guarantee the opposite too:
your server needs to be able to verify the identity of the client.
After installing the client certificate on IE, you also need to install
the client-certificate -or the CA root of the client certificate- into
the store used by Tomcat. I would assume that Tomcat uses the JVM trust
store, so you would need to specify:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks
-Djavax.net.ssl.trustStorePassword=your_password"
But the documentation indicates to use the attributes:
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
...that you already have tried.
So, try setting the variables above.
-Jorge
-----Original Message-----
From: Ron Perkins [mailto:ronperkins.uk@googlemail.com]
Sent: Monday, April 20, 2009 4:14 AM
To: users@tomcat.apache.org
Subject: Tomcat 5.5 Trust Stores and Client Authentication
Hi All,
I have done the following to create a Trust Store for Tomcat to use:
Created a keystore with new certificate:
keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore
keystore.jks -storepass changeit
Exported certificate:
keytool -export -alias mycert -file mycert.cer -keystore keystore.jks
-storepass changeit
Imported certificate into trust store:
keytool -import -v -trustcacerts alias mycert -keypass changeit -file
mycert.cer -keystore cacerts.jks -storepass changeit
Added the following Connector into server.xml to allow Client
Authentication:
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="C:/keystore.jks"
keystorePass="changeit"
keystoreType="JKS"
keyAlias="mykey"
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="350"
uRIEncoding="UTF-8"
minSpareThreads="25"
clientAuth="true">
</Connector>
After starting Tomcat up, using netstat I can see that port 443 is
listening...
When using IE to test the connection to the https default page I get
IE's no communication web page displayed. If I use Firefox this gives me
the following error: SSL peer cannot verify your certificate (Error
code: ssl_error_bad_cert_alert)
I was expecting a message to say that the client needs a client
certificate? I then installed the client certificate mycert.cer into the
client browsers, but has no effect and I still recevie the same error
messages.
To check that I have SSL correctly installed, if I change
clientAuth="true" to clientAuth="false" then default Tomcatwebpage is
displayed within the browsers.
What have I done wrong? I am thinking that it is the way that I have
created the Trust store that is the problem?
Thanks for any help in advance...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5 Trust Stores and Client Authentication
Posted by Jorge Medina <jm...@e-dialog.com>.
I have not used client certificates, but in order to use SSL with
self-generated certificates you need to add your server self-signed
certificate to the trusted roots of your Windows account or computer
account. Use the "Certificates" plug-in on an MMC console to perform the
operation.
The operation above guarantees that IE can verify the identity of your
server.
When using client-certificates, you need to guarantee the opposite too:
your server needs to be able to verify the identity of the client.
After installing the client certificate on IE, you also need to install
the client-certificate -or the CA root of the client certificate- into
the store used by Tomcat. I would assume that Tomcat uses the JVM trust
store, so you would need to specify:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks
-Djavax.net.ssl.trustStorePassword=your_password"
But the documentation indicates to use the attributes:
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
...that you already have tried.
So, try setting the variables above.
-Jorge
-----Original Message-----
From: Ron Perkins [mailto:ronperkins.uk@googlemail.com]
Sent: Monday, April 20, 2009 4:14 AM
To: users@tomcat.apache.org
Subject: Tomcat 5.5 Trust Stores and Client Authentication
Hi All,
I have done the following to create a Trust Store for Tomcat to use:
Created a keystore with new certificate:
keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore
keystore.jks -storepass changeit
Exported certificate:
keytool -export -alias mycert -file mycert.cer -keystore keystore.jks
-storepass changeit
Imported certificate into trust store:
keytool -import -v -trustcacerts alias mycert -keypass changeit -file
mycert.cer -keystore cacerts.jks -storepass changeit
Added the following Connector into server.xml to allow Client
Authentication:
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="C:/keystore.jks"
keystorePass="changeit"
keystoreType="JKS"
keyAlias="mykey"
truststoreFile="C:/cacerts.jks"
truststorePass="changeit"
truststoreType="JKS"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="350"
uRIEncoding="UTF-8"
minSpareThreads="25"
clientAuth="true">
</Connector>
After starting Tomcat up, using netstat I can see that port 443 is
listening...
When using IE to test the connection to the https default page I get
IE's no communication web page displayed. If I use Firefox this gives me
the following error: SSL peer cannot verify your certificate (Error
code: ssl_error_bad_cert_alert)
I was expecting a message to say that the client needs a client
certificate? I then installed the client certificate mycert.cer into the
client browsers, but has no effect and I still recevie the same error
messages.
To check that I have SSL correctly installed, if I change
clientAuth="true" to clientAuth="false" then default Tomcatwebpage is
displayed within the browsers.
What have I done wrong? I am thinking that it is the way that I have
created the Trust store that is the problem?
Thanks for any help in advance...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org