Re: Tomcat 4 - OpenSSL - IE client certificate works partially
Hi Peter, Thanks for your reply. We can all use a day off now and then :-) In the meantime I have cracked the nut...! Yes, really!! Last night I succeeded in sending a self-generated certificate from IE to Tomcat that was verified and accepted and let me in on the site. I still have to sort out the exact chain of events that led to this discovery, and will mail them to you and the list once I've got them in correct order. Here are some hints though: In retrospect, I did make some mistakes along the way, such as installing my private self-issued certificate in the IE keystore WITHOUT the private key. In other words, I installed the certificate by converting it into DER format, and then importing it into IE. Wrong! What you MUST do is to combine both the certificate AND the private key into a PKCS#12 format (using openssl pkcs12), and then install that in IE. Once I did that it worked. This was apparently the reason for the SSL handshake failure that we both have seen. You should verify if this solves your problem too. NB. To install other peoples certificates, as well as CA and server certificates, one should still only install the certificate in DER format, WITHOUT the key. Particularly for your own CA certificate ;-) However other things I did prior to that may have attributed to the process too, this is what I need to sort out. One thing I found was that IE does not like keys longer than 1024 bits. I experimented with 512 bit keys right before I succeeded, so that may have left some files in a different order. Of other noteworthy observations: you MUST use your own CA certificate to sign EVERYTHING (server + clients), AND the CA certificate should be installed in the Tomcat JKS keystore (used for client cert validation), AND the CA cert should also be in the trusted CA's file under JRE (used for client cert selection in IE). A tricky part is to create a keyEntry certificate in the JKS keystore for Tomcat; if you just create your own key + cert and install that in the keystore using keytool, it will show up as a trustedCertEntry, because the private key is not imported. So, you actually start out by creating the JKS certificate following the guidelines for keytool, then you create a CERTREQ using keytool, and then you sign that request using your own CA cert. Finally you import the signed cert back into the keystore (this is the only time keytool allows you to import a certificate which already exists in the keystore!), and voila! you have a self-CA-signed cert for Tomcat. (If you know of ways to import a private key for en existing certificate in a JKS please let me know.) Hope these intial comments helps. Otherwise stay tuned for the HOW-TO :-) Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] Peter Werno To: Henrik Schultz [EMAIL PROTECTED] [EMAIL PROTECTED]cc: m Subject: Re: Tomcat 4 - OpenSSL - IE client certificate works partially 02-07-2002 20:30 Hello Henrik, sorry for not getting back to you, I had a day off :-) I will try to change the Server-Certificate to a real (ca-issued) certificate tomorrow and let you know if it works. I have previously used Apache as the webserver and mod_webapp to publish my Web-Applications through to the user. This has always worked fine, however, I have never tried with anything else than a real cert in this configuration. If you would like to try Apache, I can recommend the mod_ssl - documentation, it is very detailed on how to set up Apache for SSL. Regards, Peter -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
The problem with homemade digital certificates generated with the Keytool is that they are self signed, then IExplorer and other browsers does not trust them and does not let you use it for user authentication. However if you make your own CA using openssl and you generates server and client certificates you will see that it works. You have only to add your new CA on the trusted group for IExplorer (similar with other browsers). When you make a connection to a secure server, it returns data about in which CAs it will accepct (which CA, means which client digital certificates signed with the given CAs) You can also use Thawte test certificates (client server) but it is the same if you use openssl as I describe above. Please, send me your howto and I will take a look :) By the way If you use Apache as frontend your setup will work better and faster and you will be able to make load balance ;) Henrik Schultz wrote: Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
Peter wrote: this pretty much sounds like the same problem I was experiencing and posted earlier today. Sadly, your link below only gives hints on how to intall a SERVER certificate, but not on how to configure everything to ask for a CLIENT cert. This is what I found too. However, the ImportKey program sounds like a nifty little thing that could come in handy. Thanks for the link Schwarz! The few other responses I got to my first posting were along the same lines, so for the sake of making sure everybody understands this correctly, let me reiterate: This is about CLIENT certificates. Apparently Tomcat gives up mysteriously when receiving a home-made certificate (perhaps the thread dies or something), but in any case the connection is quietly closed with no trace or log messages to be found anywhere. I have exactly the same problem where the initial handshake with the exchange of the SERVER cert is just fine, but then the connection breaks leaving you with absolutely NO LOG-entry as to why it broke Ok, so I'm not the only having this problem, that's assuring... somehow ;-) So far, I was only able to get an error-message out of Netscape (6.x) saying unknown SSL Error -12227 I tried to use NS too to find out more, but I had some problems with the firewall I'm behind to get to my server, so I never got to it. Unknown SSL error ... Hmm! Would it make sense to post this on the tomcat-development-list? I think so. Regardless of why our own certificates does not work, it is highly problematic that there are no trace of what goes wrong anywhere. Do you have experience in this, or do you have the FAQ handy? I've never tried this myself, but one time has to be the first I guess :-) Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - OpenSSL - IE client certificate works partially
I don't know if this applies to Apache Tomcat, but Apache Web Server does not like IE certs. There was an article in Eweek that talked about how Apache follows the standard, and Microsoft (as usual) innovated in regards to SSL, TLS, etc. So that Internet Explorer does work quite right with Apache Web Server. This might be what you are seeing. Verisign must have broken their certs to work with both IIS and Apache. Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -Original Message- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - OpenSSL - IE client certificate works partially
I would absolutely love a HOW-TO. I have a project that is going to require certs for security. I will ultimately have to use a Verisign or Thawte cert, but I can certainly test with the homemade ones. Also, have you tried to get Netscape or Mozilla to work?? Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -Original Message- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4 - OpenSSL - IE client certificate works partially
You could also use a temporary Verisign certificate to test with, which is what I have done so far. No, I did not try Netscape myself due to a proxy issue, but someone else on th list did that, and that came up with a strange error: unknown SSL Error -12227 Have still no clue what this is. At least NS is saying something, contrary to IE that just gives me that bloody Page cannot be displayed. When I've gotten it all to work I'll write up a HOW-TO. Promise. Enough people have been struggling with this now for way too long. Regards - Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] Adam Greene To: Tomcat Users List [EMAIL PROTECTED] agreene@romulicc: n.com Subject: RE: Tomcat 4 - OpenSSL - IE client certificate works partially 02-07-2002 10:18 Please respond to Tomcat Users List I would absolutely love a HOW-TO. I have a project that is going to require certs for security. I will ultimately have to use a Verisign or Thawte cert, but I can certainly test with the homemade ones. Also, have you tried to get Netscape or Mozilla to work?? Adam Greene ROMulin Group Inc 885 Main St, Suite 16 Moncton, NB E1C 1G5 Ph: (506) 863-1014 x4 Fx: (506) 854-6886 http://www.romulin.com/ -Original Message- From: Henrik Schultz [mailto:[EMAIL PROTECTED]] Sent: Monday, July 01, 2002 11:43 AM To: tomcat-user Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made
Tomcat 4 - OpenSSL - IE client certificate works partially
Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
AW: Tomcat 4 - OpenSSL - IE client certificate works partially
This is the answere: http://www.comu.de/docs/tomcat_ssl.htm and its really easy. -Ursprungliche Nachricht- Von: Henrik Schultz [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 1. Juli 2002 16:43 An: tomcat-user Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
Hi Henrik !!! I'm interested in your HOW-TO for making client certificates for Tomcat... and don't worry, i love the tricky stuff !!! :-) Thanks... Marcelo - Original Message - From: Henrik Schultz [EMAIL PROTECTED] To: tomcat-user tomcat-user%jakarta.apache.org%NOTESSMTP Sent: Monday, July 01, 2002 7:42 AM Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4 - OpenSSL - IE client certificate works partially
I'd be interested too... Marcelo Demestri [EMAIL PROTECTED] wrote: Hi Henrik !!! I'm interested in your HOW-TO for making client certificates for Tomcat... and don't worry, i love the tricky stuff !!! :-) Thanks... Marcelo - Original Message - From: Henrik Schultz To: tomcat-user Sent: Monday, July 01, 2002 7:42 AM Subject: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! -- To unsubscribe, e-mail: For additional commands, e-mail: - Do You Yahoo!? Sign-up for Video Highlights of 2002 FIFA World Cup