Re: Using more than one SSL cert in keystore?
Justin Jaynes wrote: Thanks. I am doing as you have instructed. I hope to set up client-side redirects. Can you please tell me how? Does it require javascript, or just HTML? Where can I learn about client side re-directs? Try Google (Web and Groups) You can do it like this (relies on JavaScript): html head titleredirection page/title /head body onLoad=window.location.replace('http://me.com/myapp') /body html and I think you can also do it with an HTTP header but I don't have details to hand... Paul S. Justin Jaynes --- Paul Singleton [EMAIL PROTECTED] wrote: Justin Jaynes wrote: ...But now I would like to put up a new site that is completely independant of the others. It needs its own SSL cert and it needs four host names to all point to the same place and redirect to just one of the domain names so that the SSL cert will be valid, regardless of how the users chose to get to my site. An SSL cert is for a specific domain name. If you want your users to be able to make HTTPS requests to all four domains without warnings from the browser, I reckon you need four certificates. But if they make non-SSL requests, and you respond with a client-side redirect to your one true certificated site using HTTPS, that may work OK? Is it possible to do Virtual Hosting using IP's on a Tomcat standalone installation? Yes, I'm doing this now with 5.5.9 You need e.g. this server.xml stuff for each host: Service Connector (HTTP) Connector (HTTPS) Engine Host Context You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly, fixed in later versions) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.3/66 - Release Date: 8/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using more than one SSL cert in keystore?
-Message d'origine- De : Paul Singleton [mailto:[EMAIL PROTECTED] Envoyé : mardi 9 août 2005 15:47 À : Tomcat Users List Objet : Re: Using more than one SSL cert in keystore? Justin Jaynes wrote: Thanks. I am doing as you have instructed. I hope to set up client-side redirects. Can you please tell me how? Does it require javascript, or just HTML? Where can I learn about client side re-directs? Try Google (Web and Groups) You can do it like this (relies on JavaScript): html head titleredirection page/title /head body onLoad=window.location.replace('http://me.com/myapp') /body html and I think you can also do it with an HTTP header but I don't have details to hand... You can use meta http-equiv=refresh content=delay; URL=yourURL Cheers, Laurent *** Ce message et toutes les pieces jointes (ci-apres le message) sont confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur. *** This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or falsified. If you are not receiver of this message, please cancel it immediately and inform the sender. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using more than one SSL cert in keystore?
Paul Singleton wrote re' client-side redirects: You can do it like this (relies on JavaScript): You can also use this META tag in the head of the document: meta http-equiv=refresh content=0;url=http://example.com; / (The first part of content is the interval in seconds before the 'refresh' happens...) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using more than one SSL cert in keystore?
Paul, Thanks. I am doing as you have instructed. I hope to set up client-side redirects. Can you please tell me how? Does it require javascript, or just HTML? Where can I learn about client side re-directs? Justin Jaynes --- Paul Singleton [EMAIL PROTECTED] wrote: Justin Jaynes wrote: ...But now I would like to put up a new site that is completely independant of the others. It needs its own SSL cert and it needs four host names to all point to the same place and redirect to just one of the domain names so that the SSL cert will be valid, regardless of how the users chose to get to my site. An SSL cert is for a specific domain name. If you want your users to be able to make HTTPS requests to all four domains without warnings from the browser, I reckon you need four certificates. But if they make non-SSL requests, and you respond with a client-side redirect to your one true certificated site using HTTPS, that may work OK? Is it possible to do Virtual Hosting using IP's on a Tomcat standalone installation? Yes, I'm doing this now with 5.5.9 You need e.g. this server.xml stuff for each host: Service Connector (HTTP) Connector (HTTPS) Engine Host Context You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly, fixed in later versions) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Using more than one SSL cert in keystore?
Can keytool be used to make a wildcard SSL Key for similar URLs? I know it can be done using apache. Jef Sullivan Programmer IKANO Communications, Inc. -Original Message- From: Paul Singleton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 04, 2005 8:21 AM To: Tomcat Users List; [EMAIL PROTECTED] Subject: Re: Using more than one SSL cert in keystore? Justin Jaynes wrote: ...But now I would like to put up a new site that is completely independant of the others. It needs its own SSL cert and it needs four host names to all point to the same place and redirect to just one of the domain names so that the SSL cert will be valid, regardless of how the users chose to get to my site. An SSL cert is for a specific domain name. If you want your users to be able to make HTTPS requests to all four domains without warnings from the browser, I reckon you need four certificates. But if they make non-SSL requests, and you respond with a client-side redirect to your one true certificated site using HTTPS, that may work OK? Is it possible to do Virtual Hosting using IP's on a Tomcat standalone installation? Yes, I'm doing this now with 5.5.9 You need e.g. this server.xml stuff for each host: Service Connector (HTTP) Connector (HTTPS) Engine Host Context You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly, fixed in later versions) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using more than one SSL cert in keystore?
Justin Jaynes wrote: ...But now I would like to put up a new site that is completely independant of the others. It needs its own SSL cert and it needs four host names to all point to the same place and redirect to just one of the domain names so that the SSL cert will be valid, regardless of how the users chose to get to my site. An SSL cert is for a specific domain name. If you want your users to be able to make HTTPS requests to all four domains without warnings from the browser, I reckon you need four certificates. But if they make non-SSL requests, and you respond with a client-side redirect to your one true certificated site using HTTPS, that may work OK? Is it possible to do Virtual Hosting using IP's on a Tomcat standalone installation? Yes, I'm doing this now with 5.5.9 You need e.g. this server.xml stuff for each host: Service Connector (HTTP) Connector (HTTPS) Engine Host Context You can use the default keystore for all hosts, and use the (undocumented) keyAlias=myalias Connector attribute to offer the appropriate certificate for each host, e.g. Connector address=288.104.197.211 port=8443 scheme=https secure=true sslProtocol=TLS keyAlias=mrk2 / (in 5.5.9 you also need sslProtocol=TLS explicitly, fixed in later versions) Paul Singleton -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 3/Aug/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL cert
Hi! My certificate expired so I ordered a new one, I removed the old one in my keystore and added the new one. I can look at my certificate with keytool -list and its there and looks correct. However, when I try to use the site it sends me the old one, claiming it has expired. Could I be doing anything wrong? Anyone else had this problem? Thanks. -- Andreas Andersson IT Dept. Travelstart Nordic [EMAIL PROTECTED] http://www.travelstart.se - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL cert
Did you restart tomcat ? -Original Message- From: Andreas Andersson [mailto:[EMAIL PROTECTED] Sent: 02 August 2005 15:51 To: tomcat-user@jakarta.apache.org Subject: SSL cert Hi! My certificate expired so I ordered a new one, I removed the old one in my keystore and added the new one. I can look at my certificate with keytool -list and its there and looks correct. However, when I try to use the site it sends me the old one, claiming it has expired. Could I be doing anything wrong? Anyone else had this problem? Thanks. -- Andreas Andersson IT Dept. Travelstart Nordic [EMAIL PROTECTED] http://www.travelstart.se - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL cert
Raghupathy,Gurumoorthy wrote: Did you restart tomcat ? Of course, several times just to be sure :) -- Andreas Andersson IT Dept. Travelstart Nordic [EMAIL PROTECTED] http://www.travelstart.se - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using more than one SSL cert in keystore?
Bruno, I am hosting a few sites on Tomcat standalone and they all share on SSL certificate because they all use the same domain name (they are just forwards to different directories). But now I would like to put up a new site that is completely independant of the others. It needs its own SSL cert and it needs four host names to all point to the same place and redirect to just one of the domain names so that the SSL cert will be valid, regardless of how the users chose to get to my site. Is it possible to do Virtual Hosting using IP's on a Tomcat standalone installation? Or will it only do the host entries that I am already using? It would solve all my problems if I could. Then, to get four addresses redirected to one, I would simply have to set my default domain name set in server.xml, enter no other host entries, and all the requests sent there would shift to the default domain. I am not sure if this scenario is achieveable. Tomcat may not even be set up for IP virtual hosting. One other thought--Is this more easily achieved by setting up a second instance of tomcat on my machine? Justin --- Bruno Georges [EMAIL PROTECTED] wrote: Justin In this situation, I would use apache + modrewrite If you want some example I can help you Bruno Bruno Georges Glencore International AG Tel. +41 41 709 3204 Fax +41 41 709 3000 - Original Message - From: Justin Jaynes [EMAIL PROTECTED] Sent: 02.08.2005 00:54 To: Tomcat Users List tomcat-user@jakarta.apache.org Subject: Re: Using more than one SSL cert in keystore? In the (brief) interim between my asking the original question below, and now, I have found additional information--SSL must occur before HTTP handshake, and will therefore not work on hosts based on the same IP. I have more than one IP available from my ISP. I suppose the question would better be this: How do I cofigure virtual hosting of more than one SSL enabled host over ONE interface using multiple IP addresses? Sorry for the confusion. --- Justin Jaynes [EMAIL PROTECTED] wrote: If I host more than one domain on my tomcat installation (standalone, not with apache), can I imort an SSL certificate for each domain and will tomcat just know which to use for which hosts? Justin Jaynes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] * * LEGAL DISCLAIMER * This message contains confidential information for * the exclusive use of the person mentioned above. * - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using more than one SSL cert in keystore?
If I host more than one domain on my tomcat installation (standalone, not with apache), can I imort an SSL certificate for each domain and will tomcat just know which to use for which hosts? Justin Jaynes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using more than one SSL cert in keystore?
In the (brief) interim between my asking the original question below, and now, I have found additional information--SSL must occur before HTTP handshake, and will therefore not work on hosts based on the same IP. I have more than one IP available from my ISP. I suppose the question would better be this: How do I cofigure virtual hosting of more than one SSL enabled host over ONE interface using multiple IP addresses? Sorry for the confusion. --- Justin Jaynes [EMAIL PROTECTED] wrote: If I host more than one domain on my tomcat installation (standalone, not with apache), can I imort an SSL certificate for each domain and will tomcat just know which to use for which hosts? Justin Jaynes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Using more than one SSL cert in keystore?
Justin In this situation, I would use apache + modrewrite If you want some example I can help you Bruno Bruno Georges Glencore International AG Tel. +41 41 709 3204 Fax +41 41 709 3000 - Original Message - From: Justin Jaynes [EMAIL PROTECTED] Sent: 02.08.2005 00:54 To: Tomcat Users List tomcat-user@jakarta.apache.org Subject: Re: Using more than one SSL cert in keystore? In the (brief) interim between my asking the original question below, and now, I have found additional information--SSL must occur before HTTP handshake, and will therefore not work on hosts based on the same IP. I have more than one IP available from my ISP. I suppose the question would better be this: How do I cofigure virtual hosting of more than one SSL enabled host over ONE interface using multiple IP addresses? Sorry for the confusion. --- Justin Jaynes [EMAIL PROTECTED] wrote: If I host more than one domain on my tomcat installation (standalone, not with apache), can I imort an SSL certificate for each domain and will tomcat just know which to use for which hosts? Justin Jaynes - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] * * LEGAL DISCLAIMER * This message contains confidential information for * the exclusive use of the person mentioned above. * - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with SSL Cert config
There's a light at the end of this tunnel - I've got it mostly working - via a browser anyway. My previous trivial problem was the imports of the CA and cert signed by that CA needed to be in the opposite order - CA first, then cert - so that keytool would accept the cert. My next, and hopefully last problem is that I can't seem to get the command to install the client cert in the java keystore correct. I tried just a simple keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file client1.pem -alias myalias But with or without this my java client can't connect - tomcat gives a certificate_unknown exception. The instructions I've been using don't mention what to do to get the client cert in the java keystore. They only say: create client cert request have the ca sign it generate a pkcs12 file form it import the pkcs12 into the browser nothing about importing the client cert into the java keystore. Is there some other step I need to perform before/instead of importing the .pem into the cacerts file? - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 9:07 PM Subject: Re: Help with SSL Cert config #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). So if I understand you correctly, I need to add a -trustcacerts flag to the keytool command above that imports the CA cert? And, since I am using 4.1 I do need the -Djavax.net.ssl.trustStore=... in my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the Coyote connector? Not trying to be dense (I come by that naturally), just want to be clear. This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). Assumption correct. # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). You can say that again. But, when you say the server CA, which file are you referring to? It's also necessary if you are pointing your truststore to your keystore. I get a 'Failed to establish chain from reply' exception at his point. Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate
Re: Help with SSL Cert config
Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey
Re: Help with SSL Cert config
Well I have more info now. I turned on debugging and saw that I'm getting a 'null cert chain' SSLHandshakeException. So, I started from scratch and went through each of my steps one by one and I've apparently got one of them wrong. Now when I do these steps: # Create a private key and certificate request for your own CA: openssl req -new -subj /C=US/ST=New York/L=New York/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit I get a 'Failed to establish chain from reply' exception at his point. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key
Re: Help with SSL Cert config
joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Well I have more info now. I turned on debugging and saw that I'm getting a 'null cert chain' SSLHandshakeException. So, I started from scratch and went through each of my steps one by one and I've apparently got one of them wrong. Now when I do these steps: # Create a private key and certificate request for your own CA: openssl req -new -subj /C=US/ST=New York/L=New York/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). It's also necessary if you are pointing your truststore to your keystore. I get a 'Failed to establish chain from reply' exception at his point. Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem
Re: Help with SSL Cert config
#Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias myalias -keypass changeit This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). So if I understand you correctly, I need to add a -trustcacerts flag to the keytool command above that imports the CA cert? And, since I am using 4.1 I do need the -Djavax.net.ssl.trustStore=... in my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the Coyote connector? Not trying to be dense (I come by that naturally), just want to be clear. This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). Assumption correct. # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrg, L=New York, S=New York, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). You can say that again. But, when you say the server CA, which file are you referring to? It's also necessary if you are pointing your truststore to your keystore. I get a 'Failed to establish chain from reply' exception at his point. Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. - Original Message - From: joelsherriff [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL Cert config Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like: -Djavax.net.ssl.trustStore=C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore and that didn't help either. Anything else I'm missing? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL Cert config joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted
Help with SSL Cert config
I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443)
Re: Help with SSL Cert config
You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with SSL Cert config
I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with SSL Cert config
joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit was doing. No? No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL Cert config You need to put your CA cert into your Tomcat truststoreFile. Otherwise, you client's cert won't be trusted. joelsherriff [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm resending this message because a) for some reason I didn't see it on the list after I sent it and b) I never got any responses (maybe because of _a_). So, if my original post did actually make it to the list, please forgive the re-post. Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): Further elaboration of what we're trying to do: We want to require client authentication from our customers. So, IIUC, we'll have to send them a signed client cert (p12) to install in their browser and java keystores. Again, IIUC, importing the CA certificate, that was used to sign the client cert, into the server keystore is what tells the server to accept the client certificate presented, because it will be signed by that CA (us). Is my understanding correct? If so, these steps appear to be correct, unless I've hosed something up along the way. # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Help with SSL Cert
Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list): # Create a private key and certificate request openssl req -new -subj /C=US/ST=North Carolina/L=Raleigh/CN=akuma-c -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change TRUSTED CERTIFICATE to CERTIFICATE # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore %JAVA_HOME%/jre/lib/security/cacerts -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo 02 ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname CN=akuma-c, OU=RD, O=MyOrganization, L=Raleigh, S=North Carolina, C=US -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name Client # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443)
investigating SSL Cert handshake timeout
I'm running Tomcat 4.1.27 on Solaris 2.6 with JDK 1.4.0_01. I have a webapp configured to use CLIENT-CERT authentication. When I attempt to point my browser at one of the resources guarded by a security-constraint, I can select and send a client certificate, but the server throws a SocketException with the message SSL Cert handshake timeout, and the requested resource does not load. Googling for the SocketException message above shows five links, three of which contain code from the tomcat-devel list, but I didn't find any suggested fixes. Do I need to dig deeper in Google? I do realize that Solaris 2.6 is ancient, and JDK 1.4.0 is the best I can use on it. If an upgrade is necessary to make this work, I'll be thrilled--it'll give me evidence to tell my supervisor that the current platform is unacceptable. Fiddling with the server and webapp settings produces at least one combination which allows me to access the protected resource. Here's what I've found so far: - With clientAuth=false in server.xml (SSL) and CLIENT-CERT in the webapp's web.xml, I get the SSL Cert handshake timeout above. - With clientAuth=true in the server and BASIC authentication in the webapp, I can connect after providing both a client certificate and a valid username/password. In this case, initial access to the resource is governed by the username/password (as expected), and I can still use the certificate in the standard HttpServletRequest attribute for further authentication. (Joy! A viable workaround for the moment!) - With clientAuth=true and CLIENT-CERT, I first get asked for a certificate as before, but then a basic-authentication box pops up with the realm name unknown. No username/password combo works (not surprising because the realm is strange), and canceling the authentication yields an error page claiming that the resource requires HTTP authentication. That's all I have so far. All suggestions are appreciated I apologize for the lack of actual excerpts from server logs. I can't get the logs on the Solaris box to an account from which I can send e-mail without printing and retyping them. (Yup. Bad situtation to be in. Preaching to the choir.) Sincerely, Jonathan Higa ([EMAIL PROTECTED]) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Multiple SSL cert for Tomcat
I don't have a server set up with multiple certificates right now, so I can't give you a snippet from a server.xml file. It would look something like this though: Server. Service .name=Tomcat-Standalone Connector . address=192.168.1.1 scheme=https port=8443 Factory...keystoreFile=/home/tomcat/www.domainone.com/.keystore keystorePass=changeit . /Connector Connector . address=192.168.1.2 scheme=https port=8443 Factory...keystoreFile=/home/tomcat/www.domaintwo.com/.keystore keystorePass=changeit . /Connector /Service /Server I've only done this with standalone Tomcat. Note that you've got to have different IPs (which can be on the same or different network cards). Of course the location of the keystore file and the password are up to you. I've found this article very helpful - although it doesn't deal with SSL specifically, it gives you a lot of good tips that I used to make this multiple SSL certificate thing work. http://www-106.ibm.com/developerworks/linux/library/l-secjav.html Roman -Original Message- From: Rich P [mailto:[EMAIL PROTECTED] Sent: Tue 6/3/2003 1:41 PM To: Tomcat Users List Cc: Subject: RE: Multiple SSL cert for Tomcat Hi Roman, Is it possible to paste a sample of your server.xml with - Define multiple Connectors for the SSL port, each with a distinct IP address AND distinct keystore file Thanks --- Roman Fail [EMAIL PROTECTED] wrote: You can have multiple SSL certificates. They cannot be on the same IP address (although you can use the same port number on different IPs). Since the HTTP header is encrypted within the transmission, the requested domain name can't be determined until after decryption - so it wouldn't know which SSL certificate to use for decryption. The way I've done it: - Separate IP addresses for each distinct domain name/SSL cert combination - Define multiple Connectors for the SSL port, each with a distinct IP address AND distinct keystore file - Each keystore file has an individual SSL certificate stored in it (with key name 'tomcat') Hope this helps. Roman -Original Message- From: Rich P [mailto:[EMAIL PROTECTED] Sent: Tue 6/3/2003 12:04 PM To: [EMAIL PROTECTED] Cc: Subject: Multiple SSL cert for Tomcat All, From reading the SSL howto, it looks like I can have multiple SSL cert with different passwd (if needed) in the same keystore file. Situation, 1 server, common web application - 2 gua with 2 different URL's (each with their own ssl cert) Questions, 1. Can I serve both sites from one port (8443) 2. Do I need to define multiple service containers per URL TIA __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
Multiple SSL cert for Tomcat
All, From reading the SSL howto, it looks like I can have multiple SSL cert with different passwd (if needed) in the same keystore file. Situation, 1 server, common web application - 2 gua with 2 different URL's (each with their own ssl cert) Questions, 1. Can I serve both sites from one port (8443) 2. Do I need to define multiple service containers per URL TIA __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Multiple SSL cert for Tomcat
You can have multiple SSL certificates. They cannot be on the same IP address (although you can use the same port number on different IPs). Since the HTTP header is encrypted within the transmission, the requested domain name can't be determined until after decryption - so it wouldn't know which SSL certificate to use for decryption. The way I've done it: - Separate IP addresses for each distinct domain name/SSL cert combination - Define multiple Connectors for the SSL port, each with a distinct IP address AND distinct keystore file - Each keystore file has an individual SSL certificate stored in it (with key name 'tomcat') Hope this helps. Roman -Original Message- From: Rich P [mailto:[EMAIL PROTECTED] Sent: Tue 6/3/2003 12:04 PM To: [EMAIL PROTECTED] Cc: Subject: Multiple SSL cert for Tomcat All, From reading the SSL howto, it looks like I can have multiple SSL cert with different passwd (if needed) in the same keystore file. Situation, 1 server, common web application - 2 gua with 2 different URL's (each with their own ssl cert) Questions, 1. Can I serve both sites from one port (8443) 2. Do I need to define multiple service containers per URL TIA __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com
RE: Multiple SSL cert for Tomcat
Hi Roman, Is it possible to paste a sample of your server.xml with - Define multiple Connectors for the SSL port, each with a distinct IP address AND distinct keystore file Thanks --- Roman Fail [EMAIL PROTECTED] wrote: You can have multiple SSL certificates. They cannot be on the same IP address (although you can use the same port number on different IPs). Since the HTTP header is encrypted within the transmission, the requested domain name can't be determined until after decryption - so it wouldn't know which SSL certificate to use for decryption. The way I've done it: - Separate IP addresses for each distinct domain name/SSL cert combination - Define multiple Connectors for the SSL port, each with a distinct IP address AND distinct keystore file - Each keystore file has an individual SSL certificate stored in it (with key name 'tomcat') Hope this helps. Roman -Original Message- From: Rich P [mailto:[EMAIL PROTECTED] Sent: Tue 6/3/2003 12:04 PM To: [EMAIL PROTECTED] Cc: Subject: Multiple SSL cert for Tomcat All, From reading the SSL howto, it looks like I can have multiple SSL cert with different passwd (if needed) in the same keystore file. Situation, 1 server, common web application - 2 gua with 2 different URL's (each with their own ssl cert) Questions, 1. Can I serve both sites from one port (8443) 2. Do I need to define multiple service containers per URL TIA __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL cert on Apache not working properly with Tomcat?
I'm attempting to break down each of my individual problems into separate posts, hoping that makes it a little easier to address each issue. This error appears in my catalina.out even though my webapp works properly. Any suggestions on what would cause this error? I checked the line indicated by the error and it is byte[] certData = certString.getBytes(); It appears this has to do with my security certificate which is specified in my httpd.conf file. Although my app works, I am concerned that this could mean a security issue and if that is the case then I need to get this resolved. SEVERE: Error in action code java.lang.NullPointerException at org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:386) at org.apache.coyote.Response.action(Response.java:222) at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: 310) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:632) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:590) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:707) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:530) at java.lang.Thread.run(Thread.java:536) I compared the time I got this message to other logs. No error messages in other logs, but this error gets logged at the exact same time that control leaves apache and I pull up my first page in my tomcat webapp. Taking the advice provided on a previous post some time back, I have not made any changes to Tomcat config regarding SSL. I was told that since I have SSL configured on Apache, I wouldn't need to make any settings in Tomcat since it is not a standalone server. Any suggestions? Thanks all! Denise
Re: SSL cert on Apache not working properly with Tomcat?
This is a known problem. See http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15456 for more details. It has to do with the (non-existent) client cert, and has nothing to do with the Apache cert. Also (besides filling up log space), it's pretty harmless. Denise Mangano [EMAIL PROTECTED] wrote in message 5D83C44941AFD4118B6F0002B302984F43863D@EXCHANGE_SERVER">news:5D83C44941AFD4118B6F0002B302984F43863D@EXCHANGE_SERVER... I'm attempting to break down each of my individual problems into separate posts, hoping that makes it a little easier to address each issue. This error appears in my catalina.out even though my webapp works properly. Any suggestions on what would cause this error? I checked the line indicated by the error and it is byte[] certData = certString.getBytes(); It appears this has to do with my security certificate which is specified in my httpd.conf file. Although my app works, I am concerned that this could mean a security issue and if that is the case then I need to get this resolved. SEVERE: Error in action code java.lang.NullPointerException at org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:386) at org.apache.coyote.Response.action(Response.java:222) at org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java: 310) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:632) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:590) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:707) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:530) at java.lang.Thread.run(Thread.java:536) I compared the time I got this message to other logs. No error messages in other logs, but this error gets logged at the exact same time that control leaves apache and I pull up my first page in my tomcat webapp. Taking the advice provided on a previous post some time back, I have not made any changes to Tomcat config regarding SSL. I was told that since I have SSL configured on Apache, I wouldn't need to make any settings in Tomcat since it is not a standalone server. Any suggestions? Thanks all! Denise -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: signed SSL cert tomcat
Try these link, it works http://www.comu.de/docs/tomcat_ssl.htm http://www.openssl.org/docs/apps/pkcs8.html#COMMAND_OPTIONS Let me know if you still face problems, Regards, Joseph --- Jeff Cousineau [EMAIL PROTECTED] wrote: New to the list, so far I haven't found a definitive answer to this question in the archives, etc... I'm using Tomcat 4.1.12 on RH Linux 7.3, as a standalone (w/o apache). I generated a CSR for my SSL cert using 'openssl' (not 'keytool'). After I received the official cert from Verisign, I created a new keystore file (using 'keytool') by importing first the chain/root cert, followed by my new cert. When I restart tomcat I get the following error when attempting to go to my site: ... cannot communicate securely because they have no common encryption algorithms I have a difficult time believing that tomcat will only recognize a cert whose CSR was created using 'keytool' (as opposed to 'openssl'), but thus far I've found nothing documented to suggest otherwise. Any thoughts? Thanks, Jeff -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] Missed your favourite TV serial last night? Try the new, Yahoo! TV. visit http://in.tv.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
signed SSL cert tomcat
New to the list, so far I haven't found a definitive answer to this question in the archives, etc... I'm using Tomcat 4.1.12 on RH Linux 7.3, as a standalone (w/o apache). I generated a CSR for my SSL cert using 'openssl' (not 'keytool'). After I received the official cert from Verisign, I created a new keystore file (using 'keytool') by importing first the chain/root cert, followed by my new cert. When I restart tomcat I get the following error when attempting to go to my site: ... cannot communicate securely because they have no common encryption algorithms I have a difficult time believing that tomcat will only recognize a cert whose CSR was created using 'keytool' (as opposed to 'openssl'), but thus far I've found nothing documented to suggest otherwise. Any thoughts? Thanks, Jeff -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: signed SSL cert tomcat
Jeff, I haven't done that, yet, but does this help? http://marsalis.internet2.edu/cgi-bin/viewcvs.cgi/*checkout*/shibboleth/DEPL OY-GUIDE-ORIGIN.html?rev=HEADcontent-type=text/html#4.b.i. --- Noel -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]