Re: Tomcat 5.5 Trust Stores and Client Authentication
I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. Is Firefox able to authenticate itself via a client certificate against a server? Maybe you just installed it in the truststore of trustfull servers? - just a thought - cheers Hans - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 5.5 Trust Stores and Client Authentication
Did you finally figure out how to fix this issue? I am having the same issue today.. Can you please help, if you happen to look at this? The only change is I am using tomcat 6.0 Thanks much. -A Ron Perkins-2 wrote: Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: Connector port=443 scheme=https secure=true keystoreFile=C:/keystore.jks keystorePass=changeit keystoreType=JKS keyAlias=mykey truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS sslProtocol=TLS maxSpareThreads=75 maxThreads=350 uRIEncoding=UTF-8 minSpareThreads=25 clientAuth=true /Connector After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth=true to clientAuth=false then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://old.nabble.com/Tomcat-5.5-Trust-Stores-and-Client-Authentication-tp23132214p29486541.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5 Trust Stores and Client Authentication
I have not used client certificates, but in order to use SSL with self-generated certificates you need to add your server self-signed certificate to the trusted roots of your Windows account or computer account. Use the Certificates plug-in on an MMC console to perform the operation. The operation above guarantees that IE can verify the identity of your server. When using client-certificates, you need to guarantee the opposite too: your server needs to be able to verify the identity of the client. After installing the client certificate on IE, you also need to install the client-certificate -or the CA root of the client certificate- into the store used by Tomcat. I would assume that Tomcat uses the JVM trust store, so you would need to specify: CATALINA_OPTS=-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks -Djavax.net.ssl.trustStorePassword=your_password But the documentation indicates to use the attributes: truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS ...that you already have tried. So, try setting the variables above. -Jorge -Original Message- From: Ron Perkins [mailto:ronperkins...@googlemail.com] Sent: Monday, April 20, 2009 4:14 AM To: users@tomcat.apache.org Subject: Tomcat 5.5 Trust Stores and Client Authentication Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: Connector port=443 scheme=https secure=true keystoreFile=C:/keystore.jks keystorePass=changeit keystoreType=JKS keyAlias=mykey truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS sslProtocol=TLS maxSpareThreads=75 maxThreads=350 uRIEncoding=UTF-8 minSpareThreads=25 clientAuth=true /Connector After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth=true to clientAuth=false then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 5.5 Trust Stores and Client Authentication
I think by installing the .cer file, you installed the public part of the client certificate. A .cer file is supposed to contain the publicly distributable portion of the client certificate. The browsers need the private part. That's why it's called a client certificate. You import the .cer file into your Java JKS keystore on the server, and that lets the server know it can trust the client. You also have to set up a user account matching the certificate in tomcat-users.xml for the server portion to function. And there is a web.xml part too. You'll need to import a .p12 file that is generated as part of the whole process into the browsers. If you don't have a .p12 file handy, you need to figure out how to get one from somewhere. You double click on a .p12 file to import it into Window's keystore. FireFox also allows you to directly import a .p12 file. -Original Message- From: Jorge Medina [mailto:jmed...@e-dialog.com] Sent: Monday, April 20, 2009 9:49 AM To: Tomcat Users List Subject: RE: Tomcat 5.5 Trust Stores and Client Authentication I have not used client certificates, but in order to use SSL with self-generated certificates you need to add your server self-signed certificate to the trusted roots of your Windows account or computer account. Use the Certificates plug-in on an MMC console to perform the operation. The operation above guarantees that IE can verify the identity of your server. When using client-certificates, you need to guarantee the opposite too: your server needs to be able to verify the identity of the client. After installing the client certificate on IE, you also need to install the client-certificate -or the CA root of the client certificate- into the store used by Tomcat. I would assume that Tomcat uses the JVM trust store, so you would need to specify: CATALINA_OPTS=-Djavax.net.ssl.trustStore=your_path_to/cacerts.jks -Djavax.net.ssl.trustStorePassword=your_password But the documentation indicates to use the attributes: truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS ...that you already have tried. So, try setting the variables above. -Jorge -Original Message- From: Ron Perkins [mailto:ronperkins...@googlemail.com] Sent: Monday, April 20, 2009 4:14 AM To: users@tomcat.apache.org Subject: Tomcat 5.5 Trust Stores and Client Authentication Hi All, I have done the following to create a Trust Store for Tomcat to use: Created a keystore with new certificate: keytool -genkey -alias mycert -keyalg RSA -kaypass changeit -keystore keystore.jks -storepass changeit Exported certificate: keytool -export -alias mycert -file mycert.cer -keystore keystore.jks -storepass changeit Imported certificate into trust store: keytool -import -v -trustcacerts alias mycert -keypass changeit -file mycert.cer -keystore cacerts.jks -storepass changeit Added the following Connector into server.xml to allow Client Authentication: Connector port=443 scheme=https secure=true keystoreFile=C:/keystore.jks keystorePass=changeit keystoreType=JKS keyAlias=mykey truststoreFile=C:/cacerts.jks truststorePass=changeit truststoreType=JKS sslProtocol=TLS maxSpareThreads=75 maxThreads=350 uRIEncoding=UTF-8 minSpareThreads=25 clientAuth=true /Connector After starting Tomcat up, using netstat I can see that port 443 is listening... When using IE to test the connection to the https default page I get IE's no communication web page displayed. If I use Firefox this gives me the following error: SSL peer cannot verify your certificate (Error code: ssl_error_bad_cert_alert) I was expecting a message to say that the client needs a client certificate? I then installed the client certificate mycert.cer into the client browsers, but has no effect and I still recevie the same error messages. To check that I have SSL correctly installed, if I change clientAuth=true to clientAuth=false then default Tomcatwebpage is displayed within the browsers. What have I done wrong? I am thinking that it is the way that I have created the Trust store that is the problem? Thanks for any help in advance... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
