Re: Help with SSL Cert config
There's a light at the end of this tunnel - I've got it mostly working - via a browser anyway. My previous trivial problem was the imports of the CA and cert signed by that CA needed to be in the opposite order - CA first, then cert - so that keytool would accept the cert. My next, and hopefully last problem is that I can't seem to get the command to install the client cert in the java keystore correct. I tried just a simple keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file client1.pem -alias myalias But with or without this my java client can't connect - tomcat gives a certificate_unknown exception. The instructions I've been using don't mention what to do to get the client cert in the java keystore. They only say: create client cert request have the ca sign it generate a pkcs12 file form it import the pkcs12 into the browser nothing about importing the client cert into the java keystore. Is there some other step I need to perform before/instead of importing the .pem into the cacerts file? - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 9:07 PM Subject: Re: Help with SSL Cert config #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). So if I understand you correctly, I need to add a -trustcacerts flag to the keytool command above that imports the CA cert? And, since I am using 4.1 I do need the -Djavax.net.ssl.trustStore=... in my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the Coyote connector? Not trying to be dense (I come by that naturally), just want to be clear. This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). Assumption correct. # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). You can say that again. But, when you say the server CA, which file are you referring to? It's also necessary if you are pointing your truststore to your keystore. I get a 'Failed to establish chain from reply' exception at his point. Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate
Re: Help with SSL Cert config
Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey
Re: Help with SSL Cert config
Well I have more info now. I turned on debugging and saw that I'm getting a 'null cert chain' SSLHandshakeException. So, I started from scratch and went through each of my steps one by one and I've apparently got one of them wrong. Now when I do these steps: # Create a private key and certificate request for your own CA: openssl req -new -subj /C=US/ST=New York/L=New York/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit I get a 'Failed to establish chain from reply' exception at his point. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Re: Help with SSL Cert config
joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Well I have more info now. I turned on debugging and saw that I'm getting a 'null cert chain' SSLHandshakeException. So, I started from scratch and went through each of my steps one by one and I've apparently got one of them wrong. Now when I do these steps: # Create a private key and certificate request for your own CA: openssl req -new -subj /C=US/ST=New York/L=New York/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). It's also necessary if you are pointing your truststore to your keystore. I get a 'Failed to establish chain from reply' exception at his point. Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem
Re: Help with SSL Cert config
#Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). So if I understand you correctly, I need to add a -trustcacerts flag to the keytool command above that imports the CA cert? And, since I am using 4.1 I do need the -Djavax.net.ssl.trustStore=... in my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the Coyote connector? Not trying to be dense (I come by that naturally), just want to be clear. This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). Assumption correct. # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). You can say that again. But, when you say the server CA, which file are you referring to? It's also necessary if you are pointing your truststore to your keystore. I get a 'Failed to establish chain from reply' exception at his point. Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted
Help with SSL Cert config
I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443)
Re: Help with SSL Cert config
You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with SSL Cert config
I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with SSL Cert config
joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]