RE: Creating a signed SSL certificate with my own CA
Just to clarify, when I try to connect via SSL the SSL Handshake fails. Donie -Original Message- From: Donie Kelly [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 12:08 To: 'Tomcat Users List' Subject: Creating a signed SSL certificate with my own CA Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great. Then I use the testkeys with tomcat Connector className=org.apache.catalina.connector.http.HttpConnector address=192.168.1.4 port=443 enableLookups=true scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\tomcat4.0\conf\testkeys keystorePass=changeit / /Connector Now when I try to connect with SLL from IE it just shows Cannot find server or DNS Error What am I doing wrong? Are the certs I am creating suitable for SLL with Tomcat. I'd really appreciate some help. Donie PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm Certificate Authority In a nutshell, what I'm suggesting is that you create your own Certificate Authority (CA) to sign your keys. This gets complicated because nothing in the Java Development Kit or JSSE lets you set up a CA and sign keys. You have to go elsewhere for tools to do this. I chose to go with the OpenSSL toolkit (http://www.openssl.org/) running on Linux. There are toolsets available from other vendors and platforms, however. If you choose to use a different toolset, you will just have to substitute the appropriate commands; the theory is the same no matter what. First, you need to generate your CA's key. That key is used to sign all the other application keys. The OpenSSL toolkit comes configured to setup a CA from whatever directory you start it in. This means that you need to use all the CA commands from the same directory. In the sample code, you'll find the CA directory that I used to generate the CA key and sign all the application keys: 1.Generate the CA key $ openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are prompted for location information for the certificate. Enter whatever you want, but make sure you enter something for each field: 3.Setup the OpenSSL CA tools $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt $ cp ca.crt demoCA/ $ echo 01 demoCA/serial You now can create the client application's key store and export its public key so your CA can sign it. You can enter whatever you want for all the location information, but again make sure you enter something - standard alphanumeric characters and spaces, but no underscores or other special characters - for every field: 4.Create a new key store for the client application $ keytool -keystore testkeys -genkey - alias client When prompted, enter passphrase for the password to use this keystore with the sample applications. 5.Export the client's public key $ keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key -cert ca.crt At this point, you should have a file called client.crs.pem, which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the testkeys keystore: 7.Convert to DER format $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt 9.Import signed key into client's key store $ keytool -keystore testkeys -alias client -import -file client.crs.der Step 8 must be completed so that the keytool command agrees to import the signed key. While importing the signed key, keytool checks the signatories to ensure that their signatures can be validated. They can be validated if their public keys are in the key store. Once you have completed all of these steps, move the testkeys key store to the client directory. Start over with step 4 and create a key store for the server process. Just substitute server everywhere you see client. Make sure you enter something different in one of the location fields (organizational unit would be a good choice). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Creating a signed SSL certificate with my own CA
Maybe you have an entry for a special proxy-server in you IE for SSL-connections ? I've created a key with the keytool from j2sdk1.4.1 and it works without problem Chris Donie Kelly wrote: Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great. Then I use the testkeys with tomcat Connector className=org.apache.catalina.connector.http.HttpConnector address=192.168.1.4 port=443 enableLookups=true scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\tomcat4.0\conf\testkeys keystorePass=changeit / /Connector Now when I try to connect with SLL from IE it just shows Cannot find server or DNS Error What am I doing wrong? Are the certs I am creating suitable for SLL with Tomcat. I'd really appreciate some help. Donie PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm Certificate Authority In a nutshell, what I'm suggesting is that you create your own Certificate Authority (CA) to sign your keys. This gets complicated because nothing in the Java Development Kit or JSSE lets you set up a CA and sign keys. You have to go elsewhere for tools to do this. I chose to go with the OpenSSL toolkit (http://www.openssl.org/) running on Linux. There are toolsets available from other vendors and platforms, however. If you choose to use a different toolset, you will just have to substitute the appropriate commands; the theory is the same no matter what. First, you need to generate your CA's key. That key is used to sign all the other application keys. The OpenSSL toolkit comes configured to setup a CA from whatever directory you start it in. This means that you need to use all the CA commands from the same directory. In the sample code, you'll find the CA directory that I used to generate the CA key and sign all the application keys: 1.Generate the CA key $ openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are prompted for location information for the certificate. Enter whatever you want, but make sure you enter something for each field: 3.Setup the OpenSSL CA tools $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt $ cp ca.crt demoCA/ $ echo 01 demoCA/serial You now can create the client application's key store and export its public key so your CA can sign it. You can enter whatever you want for all the location information, but again make sure you enter something - standard alphanumeric characters and spaces, but no underscores or other special characters - for every field: 4.Create a new key store for the client application $ keytool -keystore testkeys -genkey - alias client When prompted, enter passphrase for the password to use this keystore with the sample applications. 5.Export the client's public key $ keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key -cert ca.crt At this point, you should have a file called client.crs.pem, which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the testkeys keystore: 7.Convert to DER format $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt 9.Import signed key into client's key store $ keytool -keystore testkeys -alias client -import -file client.crs.der Step 8 must be completed so that the keytool command agrees to import the signed key. While importing the signed key, keytool checks the signatories to ensure that their signatures can be validated. They can be validated if their public keys are in the key store. Once you have completed all of these steps, move the testkeys key store to the client directory. Start over with step 4 and create a key store for the server process. Just substitute server everywhere you see client. Make sure you enter something different in one of the location fields (organizational unit would be a good choice). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Creating a signed SSL certificate with my own CA
I can create a single key and use that. it works ok. When i try to sign the key using my own ca is where the problem is happening. Donie -Original Message- From: Christoph Fischer [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:35 To: Tomcat Users List Subject: Re: Creating a signed SSL certificate with my own CA Maybe you have an entry for a special proxy-server in you IE for SSL-connections ? I've created a key with the keytool from j2sdk1.4.1 and it works without problem Chris Donie Kelly wrote: Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great. Then I use the testkeys with tomcat Connector className=org.apache.catalina.connector.http.HttpConnector address=192.168.1.4 port=443 enableLookups=true scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\tomcat4.0\conf\testkeys keystorePass=changeit / /Connector Now when I try to connect with SLL from IE it just shows Cannot find server or DNS Error What am I doing wrong? Are the certs I am creating suitable for SLL with Tomcat. I'd really appreciate some help. Donie PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm Certificate Authority In a nutshell, what I'm suggesting is that you create your own Certificate Authority (CA) to sign your keys. This gets complicated because nothing in the Java Development Kit or JSSE lets you set up a CA and sign keys. You have to go elsewhere for tools to do this. I chose to go with the OpenSSL toolkit (http://www.openssl.org/) running on Linux. There are toolsets available from other vendors and platforms, however. If you choose to use a different toolset, you will just have to substitute the appropriate commands; the theory is the same no matter what. First, you need to generate your CA's key. That key is used to sign all the other application keys. The OpenSSL toolkit comes configured to setup a CA from whatever directory you start it in. This means that you need to use all the CA commands from the same directory. In the sample code, you'll find the CA directory that I used to generate the CA key and sign all the application keys: 1.Generate the CA key $ openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are prompted for location information for the certificate. Enter whatever you want, but make sure you enter something for each field: 3.Setup the OpenSSL CA tools $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt $ cp ca.crt demoCA/ $ echo 01 demoCA/serial You now can create the client application's key store and export its public key so your CA can sign it. You can enter whatever you want for all the location information, but again make sure you enter something - standard alphanumeric characters and spaces, but no underscores or other special characters - for every field: 4.Create a new key store for the client application $ keytool -keystore testkeys -genkey - alias client When prompted, enter passphrase for the password to use this keystore with the sample applications. 5.Export the client's public key $ keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key -cert ca.crt At this point, you should have a file called client.crs.pem, which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the testkeys keystore: 7.Convert to DER format $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt 9.Import signed key into client's key store $ keytool -keystore testkeys -alias client -import -file client.crs.der Step 8 must be completed so that the keytool command agrees to import the signed key. While importing the signed key, keytool checks the signatories to ensure that their signatures can be validated. They can be validated if their public keys are in the key store. Once you have completed all of these steps, move the testkeys key store to the client directory. Start over with step 4 and create a key store for the server process. Just substitute server everywhere you see client. Make sure you enter something different in one of the location fields (organizational unit would be a good choice). -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional
RE: Creating a signed SSL certificate with my own CA
You can turn SSL debugging by setting the following environment variable CATALINA_OPTS=-Djavax.net.debug=ALL Then, restart tomcat. You will then see much more info in the log. This might help you to debug your problem. Andy. -Original Message- From: Donie Kelly To: 'Tomcat Users List' Sent: 12/12/2002 14:11 Subject: RE: Creating a signed SSL certificate with my own CA Just to clarify, when I try to connect via SSL the SSL Handshake fails. Donie -Original Message- From: Donie Kelly [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 12:08 To: 'Tomcat Users List' Subject: Creating a signed SSL certificate with my own CA Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great. Then I use the testkeys with tomcat Connector className=org.apache.catalina.connector.http.HttpConnector address=192.168.1.4 port=443 enableLookups=true scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\tomcat4.0\conf\testkeys keystorePass=changeit / /Connector Now when I try to connect with SLL from IE it just shows Cannot find server or DNS Error What am I doing wrong? Are the certs I am creating suitable for SLL with Tomcat. I'd really appreciate some help. Donie PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm Certificate Authority In a nutshell, what I'm suggesting is that you create your own Certificate Authority (CA) to sign your keys. This gets complicated because nothing in the Java Development Kit or JSSE lets you set up a CA and sign keys. You have to go elsewhere for tools to do this. I chose to go with the OpenSSL toolkit (http://www.openssl.org/) running on Linux. There are toolsets available from other vendors and platforms, however. If you choose to use a different toolset, you will just have to substitute the appropriate commands; the theory is the same no matter what. First, you need to generate your CA's key. That key is used to sign all the other application keys. The OpenSSL toolkit comes configured to setup a CA from whatever directory you start it in. This means that you need to use all the CA commands from the same directory. In the sample code, you'll find the CA directory that I used to generate the CA key and sign all the application keys: 1.Generate the CA key $ openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are prompted for location information for the certificate. Enter whatever you want, but make sure you enter something for each field: 3.Setup the OpenSSL CA tools $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt $ cp ca.crt demoCA/ $ echo 01 demoCA/serial You now can create the client application's key store and export its public key so your CA can sign it. You can enter whatever you want for all the location information, but again make sure you enter something - standard alphanumeric characters and spaces, but no underscores or other special characters - for every field: 4.Create a new key store for the client application $ keytool -keystore testkeys -genkey - alias client When prompted, enter passphrase for the password to use this keystore with the sample applications. 5.Export the client's public key $ keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key -cert ca.crt At this point, you should have a file called client.crs.pem, which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the testkeys keystore: 7.Convert to DER format $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt 9.Import signed key into client's key store $ keytool -keystore testkeys -alias client -import -file client.crs.der Step 8 must be completed so that the keytool command agrees to import the signed key. While importing the signed key, keytool checks the signatories to ensure that their signatures can be validated. They can be validated if their public keys are in the key store. Once you have completed all of these steps, move the testkeys key store to the client directory. Start over with step 4 and create a key store for the server process. Just substitute server everywhere you see client. Make sure you enter something different in one of the location fields
RE: Creating a signed SSL certificate with my own CA
Thanks I'll turn it on and get back her if the logs don't help me... Donie -Original Message- From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:58 To: 'Donie Kelly '; ''Tomcat Users List' ' Subject: RE: Creating a signed SSL certificate with my own CA You can turn SSL debugging by setting the following environment variable CATALINA_OPTS=-Djavax.net.debug=ALL Then, restart tomcat. You will then see much more info in the log. This might help you to debug your problem. Andy. -Original Message- From: Donie Kelly To: 'Tomcat Users List' Sent: 12/12/2002 14:11 Subject: RE: Creating a signed SSL certificate with my own CA Just to clarify, when I try to connect via SSL the SSL Handshake fails. Donie -Original Message- From: Donie Kelly [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 12:08 To: 'Tomcat Users List' Subject: Creating a signed SSL certificate with my own CA Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great. Then I use the testkeys with tomcat Connector className=org.apache.catalina.connector.http.HttpConnector address=192.168.1.4 port=443 enableLookups=true scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=c:\tomcat4.0\conf\testkeys keystorePass=changeit / /Connector Now when I try to connect with SLL from IE it just shows Cannot find server or DNS Error What am I doing wrong? Are the certs I am creating suitable for SLL with Tomcat. I'd really appreciate some help. Donie PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm Certificate Authority In a nutshell, what I'm suggesting is that you create your own Certificate Authority (CA) to sign your keys. This gets complicated because nothing in the Java Development Kit or JSSE lets you set up a CA and sign keys. You have to go elsewhere for tools to do this. I chose to go with the OpenSSL toolkit (http://www.openssl.org/) running on Linux. There are toolsets available from other vendors and platforms, however. If you choose to use a different toolset, you will just have to substitute the appropriate commands; the theory is the same no matter what. First, you need to generate your CA's key. That key is used to sign all the other application keys. The OpenSSL toolkit comes configured to setup a CA from whatever directory you start it in. This means that you need to use all the CA commands from the same directory. In the sample code, you'll find the CA directory that I used to generate the CA key and sign all the application keys: 1.Generate the CA key $ openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are prompted for location information for the certificate. Enter whatever you want, but make sure you enter something for each field: 3.Setup the OpenSSL CA tools $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt $ cp ca.crt demoCA/ $ echo 01 demoCA/serial You now can create the client application's key store and export its public key so your CA can sign it. You can enter whatever you want for all the location information, but again make sure you enter something - standard alphanumeric characters and spaces, but no underscores or other special characters - for every field: 4.Create a new key store for the client application $ keytool -keystore testkeys -genkey - alias client When prompted, enter passphrase for the password to use this keystore with the sample applications. 5.Export the client's public key $ keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key -cert ca.crt At this point, you should have a file called client.crs.pem, which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the testkeys keystore: 7.Convert to DER format $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt 9.Import signed key into client's key store $ keytool -keystore testkeys -alias client -import -file client.crs.der Step 8 must be completed so that the keytool command agrees to import the signed key. While importing the signed key, keytool checks the signatories to ensure that their signatures can be validated. They can be validated if their public keys are in the key
[OT] RE: Creating a signed SSL certificate with my own CA
.?.?..n 05D0: D1 7B 4D D2 E5 65 CC 02 44 77 71 77 04 E9 2C 4F ..M..e..Dwqw..,O 05E0: D2 9E 33 64 61 76 0A 38 C2 60 F0 91 33 32 E7 C9 ..3dav.8.`..32.. 05F0: 80 31 EC CF BB 04 AA CD 0C 3A B0 EA F7 F3 E0 AE .1...:.. 0600: 54 CC F0 31 C2 63 26 86 18 ED 8A 7A 28 E4 8B B7 T..1.cz(... 0610: 08 BE A1 A7 AA 7D 02 98 6F 67 4C 80 E7 06 B5 EF ogL. 0620: 6B 3C F4 F9 B2 45 87 8C FB DD C6 2C 9D 2D A4 8C k...E.,.-.. 0630: 12 12 4E E7 4C 9C 7C 3E FB 0D 64 D9 B9 43 3A DE ..N.Ld..C:. 0640: 3D BD 16 B7 5F 13 02 03 01 00 01 A3 81 C3 30 81 =..._.0. 0650: C0 30 1D 06 03 55 1D 0E 04 16 04 14 D8 18 22 CF .0...U. 0660: F1 9D DE E6 0E 83 D3 04 E7 96 09 2C E3 AA 0C 2E ..., 0670: 30 81 90 06 03 55 1D 23 04 81 88 30 81 85 80 14 0U.#...0 0680: D8 18 22 CF F1 9D DE E6 0E 83 D3 04 E7 96 09 2C .., 0690: E3 AA 0C 2E A1 6A A4 68 30 66 31 0B 30 09 06 03 .j.h0f1.0... 06A0: 55 04 06 13 02 49 45 31 0E 30 0C 06 03 55 04 08 UIE1.0...U.. 06B0: 13 05 63 6C 61 72 65 31 10 30 0E 06 03 55 04 07 ..clare1.0...U.. 06C0: 13 07 73 68 61 6E 6E 6F 6E 31 11 30 0F 06 03 55 ..shannon1.0...U 06D0: 04 0A 13 08 74 65 63 6E 6F 6D 65 6E 31 0C 30 0A tecnomen1.0. 06E0: 06 03 55 04 0B 13 03 64 61 64 31 14 30 12 06 03 ..Udad1.0... 06F0: 55 04 03 13 0B 74 65 63 6E 6F 6D 65 6E 20 63 61 Utecnomen ca 0700: 82 01 00 30 0C 06 03 55 1D 13 04 05 30 03 01 01 ...0...U0... 0710: FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 .0...*.H 0720: 03 81 81 00 4A EC C3 08 97 C3 C9 D3 E4 56 DA C1 JV.. 0730: 11 FF D7 36 7D F0 2A E0 C2 B4 D9 86 6E 94 6D 52 ...6..*.n.mR 0740: 50 4C CF E2 A1 C2 63 F1 95 CE 61 5C 76 4C 6D C0 PLc...a\vLm. 0750: A9 C5 50 66 1C D1 B3 1D 02 EE B2 EB C0 DC F5 ED ..Pf 0760: B1 32 A1 0F F1 94 29 CD 37 11 BC 3B 90 85 BD BE .2).7..; 0770: 1F A8 39 44 5E BC 1C 6F 21 65 DD 9C 1F 98 0A 07 ..9D^..o!e.. 0780: 88 4C F1 CE 46 1D 8F 73 40 F5 52 E0 C4 88 A7 00 .L..F..s@.R. 0790: EA EE 20 E6 05 5D A1 3C DF 5D C4 F9 EF 86 8B 3C .. ..]..]. 07A0: C9 D6 99 3F 0C 00 01 38 00 81 00 F4 88 FD 58 4E ...?...8..XN 07B0: 49 DB CD 20 B4 9D E4 91 07 36 6B 33 6C 38 0D 45 I.. .6k3l8.E 07C0: 1D 0F 7C 88 B3 1C 7C 5B 2D 8E F6 F3 C9 23 C0 43 ...[-#.C 07D0: F0 A5 5B 18 8D 8E BB 55 8C B8 5D 38 D3 34 FD 7C ..[U..]8.4.. 07E0: 17 57 43 A3 1D 18 6C DE 33 21 2C B5 2A FF 3C E1 .WC...l.3!,.*.. 07F0: B1 29 40 18 11 8D 7C 84 A7 0A 72 D6 86 C4 03 19 .)@...r. 0800: C8 07 29 7A CA 95 0C D9 96 9F AB D0 0A 50 9B 02 ..)z.P.. 0810: 46 D3 08 3D 66 A4 5D 41 9F 9C 7C BD 89 4B 22 19 F..=f.]A.K. 0820: 26 BA AB A2 5E C3 55 E9 2F 78 C7 00 01 02 00 80 ...^.U./x.. 0830: 3E 59 9B 81 68 37 8D 4D D1 82 34 0B D9 D9 CA 10 Y..h7.M..4. 0840: 45 50 73 58 3E 95 01 10 AB FD 0C 49 59 EF 99 2C EPsX..IY.., 0850: 65 2C 1E 18 09 0C BC 0E BF 4A 93 BD 51 BB 06 2D e,...J..Q..- 0860: C1 23 6E 1E 54 37 90 66 55 40 B3 5D 4E 42 15 A5 .#n.T7.fU@.]NB.. 0870: 20 FE 1D 7E 18 75 A9 21 ED 1E DD 13 A8 CE 1D D8 u.! 0880: 78 AA 79 60 BA 32 6F 1E CB 47 EE 3C B9 17 73 47 x.y`.2o..G...sG 0890: 59 36 8A 73 C7 61 72 8B 84 7D F3 12 42 8A 00 52 Y6.s.ar.B..R 08A0: 73 6C 5D 43 63 FC 58 65 D6 67 21 1B 4A 74 F4 4F sl]Cc.Xe.g!.Jt.O 08B0: 00 2E 30 2C 02 14 5C 63 BD 47 6C D0 A1 62 98 1F ..0,..\c.Gl..b.. 08C0: FB 4D 5D EA BE 1B AB 2E 42 64 02 14 5B 9E 4D D5 .M].Bd..[.M. 08D0: 5D 25 49 A0 53 99 2C B8 8B 5F A9 BF 90 B0 24 63 ]%I.S.,.._$c 08E0: 0E 00 00 00 HttpProcessor[443][4], WRITE: SSL v3.0 Handshake, length = 2276 -Original Message- From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:58 To: 'Donie Kelly '; ''Tomcat Users List' ' Subject: RE: Creating a signed SSL certificate with my own CA You can turn SSL debugging by setting the following environment variable CATALINA_OPTS=-Djavax.net.debug=ALL Then, restart tomcat. You will then see much more info in the log. This might help you to debug your problem. Andy. -Original Message- From: Donie Kelly To: 'Tomcat Users List' Sent: 12/12/2002 14:11 Subject: RE: Creating a signed SSL certificate with my own CA Just to clarify, when I try to connect via SSL the SSL Handshake fails. Donie -Original Message- From: Donie Kelly [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 12:08 To: 'Tomcat Users List' Subject: Creating a signed SSL certificate with my own CA Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great
FW: [OT] RE: Creating a signed SSL certificate with my own CA
.?.?..n 05D0: D1 7B 4D D2 E5 65 CC 02 44 77 71 77 04 E9 2C 4F ..M..e..Dwqw..,O 05E0: D2 9E 33 64 61 76 0A 38 C2 60 F0 91 33 32 E7 C9 ..3dav.8.`..32.. 05F0: 80 31 EC CF BB 04 AA CD 0C 3A B0 EA F7 F3 E0 AE .1...:.. 0600: 54 CC F0 31 C2 63 26 86 18 ED 8A 7A 28 E4 8B B7 T..1.cz(... 0610: 08 BE A1 A7 AA 7D 02 98 6F 67 4C 80 E7 06 B5 EF ogL. 0620: 6B 3C F4 F9 B2 45 87 8C FB DD C6 2C 9D 2D A4 8C k...E.,.-.. 0630: 12 12 4E E7 4C 9C 7C 3E FB 0D 64 D9 B9 43 3A DE ..N.Ld..C:. 0640: 3D BD 16 B7 5F 13 02 03 01 00 01 A3 81 C3 30 81 =..._.0. 0650: C0 30 1D 06 03 55 1D 0E 04 16 04 14 D8 18 22 CF .0...U. 0660: F1 9D DE E6 0E 83 D3 04 E7 96 09 2C E3 AA 0C 2E ..., 0670: 30 81 90 06 03 55 1D 23 04 81 88 30 81 85 80 14 0U.#...0 0680: D8 18 22 CF F1 9D DE E6 0E 83 D3 04 E7 96 09 2C .., 0690: E3 AA 0C 2E A1 6A A4 68 30 66 31 0B 30 09 06 03 .j.h0f1.0... 06A0: 55 04 06 13 02 49 45 31 0E 30 0C 06 03 55 04 08 UIE1.0...U.. 06B0: 13 05 63 6C 61 72 65 31 10 30 0E 06 03 55 04 07 ..clare1.0...U.. 06C0: 13 07 73 68 61 6E 6E 6F 6E 31 11 30 0F 06 03 55 ..shannon1.0...U 06D0: 04 0A 13 08 74 65 63 6E 6F 6D 65 6E 31 0C 30 0A tecnomen1.0. 06E0: 06 03 55 04 0B 13 03 64 61 64 31 14 30 12 06 03 ..Udad1.0... 06F0: 55 04 03 13 0B 74 65 63 6E 6F 6D 65 6E 20 63 61 Utecnomen ca 0700: 82 01 00 30 0C 06 03 55 1D 13 04 05 30 03 01 01 ...0...U0... 0710: FF 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 00 .0...*.H 0720: 03 81 81 00 4A EC C3 08 97 C3 C9 D3 E4 56 DA C1 JV.. 0730: 11 FF D7 36 7D F0 2A E0 C2 B4 D9 86 6E 94 6D 52 ...6..*.n.mR 0740: 50 4C CF E2 A1 C2 63 F1 95 CE 61 5C 76 4C 6D C0 PLc...a\vLm. 0750: A9 C5 50 66 1C D1 B3 1D 02 EE B2 EB C0 DC F5 ED ..Pf 0760: B1 32 A1 0F F1 94 29 CD 37 11 BC 3B 90 85 BD BE .2).7..; 0770: 1F A8 39 44 5E BC 1C 6F 21 65 DD 9C 1F 98 0A 07 ..9D^..o!e.. 0780: 88 4C F1 CE 46 1D 8F 73 40 F5 52 E0 C4 88 A7 00 .L..F..s@.R. 0790: EA EE 20 E6 05 5D A1 3C DF 5D C4 F9 EF 86 8B 3C .. ..]..]. 07A0: C9 D6 99 3F 0C 00 01 38 00 81 00 F4 88 FD 58 4E ...?...8..XN 07B0: 49 DB CD 20 B4 9D E4 91 07 36 6B 33 6C 38 0D 45 I.. .6k3l8.E 07C0: 1D 0F 7C 88 B3 1C 7C 5B 2D 8E F6 F3 C9 23 C0 43 ...[-#.C 07D0: F0 A5 5B 18 8D 8E BB 55 8C B8 5D 38 D3 34 FD 7C ..[U..]8.4.. 07E0: 17 57 43 A3 1D 18 6C DE 33 21 2C B5 2A FF 3C E1 .WC...l.3!,.*.. 07F0: B1 29 40 18 11 8D 7C 84 A7 0A 72 D6 86 C4 03 19 .)@...r. 0800: C8 07 29 7A CA 95 0C D9 96 9F AB D0 0A 50 9B 02 ..)z.P.. 0810: 46 D3 08 3D 66 A4 5D 41 9F 9C 7C BD 89 4B 22 19 F..=f.]A.K. 0820: 26 BA AB A2 5E C3 55 E9 2F 78 C7 00 01 02 00 80 ...^.U./x.. 0830: 3E 59 9B 81 68 37 8D 4D D1 82 34 0B D9 D9 CA 10 Y..h7.M..4. 0840: 45 50 73 58 3E 95 01 10 AB FD 0C 49 59 EF 99 2C EPsX..IY.., 0850: 65 2C 1E 18 09 0C BC 0E BF 4A 93 BD 51 BB 06 2D e,...J..Q..- 0860: C1 23 6E 1E 54 37 90 66 55 40 B3 5D 4E 42 15 A5 .#n.T7.fU@.]NB.. 0870: 20 FE 1D 7E 18 75 A9 21 ED 1E DD 13 A8 CE 1D D8 u.! 0880: 78 AA 79 60 BA 32 6F 1E CB 47 EE 3C B9 17 73 47 x.y`.2o..G...sG 0890: 59 36 8A 73 C7 61 72 8B 84 7D F3 12 42 8A 00 52 Y6.s.ar.B..R 08A0: 73 6C 5D 43 63 FC 58 65 D6 67 21 1B 4A 74 F4 4F sl]Cc.Xe.g!.Jt.O 08B0: 00 2E 30 2C 02 14 5C 63 BD 47 6C D0 A1 62 98 1F ..0,..\c.Gl..b.. 08C0: FB 4D 5D EA BE 1B AB 2E 42 64 02 14 5B 9E 4D D5 .M].Bd..[.M. 08D0: 5D 25 49 A0 53 99 2C B8 8B 5F A9 BF 90 B0 24 63 ]%I.S.,.._$c 08E0: 0E 00 00 00 HttpProcessor[443][4], WRITE: SSL v3.0 Handshake, length = 2276 -Original Message- From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:58 To: 'Donie Kelly '; ''Tomcat Users List' ' Subject: RE: Creating a signed SSL certificate with my own CA You can turn SSL debugging by setting the following environment variable CATALINA_OPTS=-Djavax.net.debug=ALL Then, restart tomcat. You will then see much more info in the log. This might help you to debug your problem. Andy. -Original Message- From: Donie Kelly To: 'Tomcat Users List' Sent: 12/12/2002 14:11 Subject: RE: Creating a signed SSL certificate with my own CA Just to clarify, when I try to connect via SSL the SSL Handshake fails. Donie -Original Message- From: Donie Kelly [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 12:08 To: 'Tomcat Users List' Subject: Creating a signed SSL certificate with my own CA Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great
RE: [OT] RE: Creating a signed SSL certificate with my own CA
Strange. I was expecting to see an error in this log.
The server has definitely sent the certificate chain, so the client and
server are communicating.
At the end, it says SSL v3.0 Handshake, so check that you have got your
Use SSL 3.0 option checked in your Internet Options (Advanced tab). A long
shot, I know.
If this is the end of the log, it looks like the server is waiting for more
information from the client. This may be the point where IE is supposed to
bring up a dialog asking you if you accept the certificate, or a dialog
asking you for the client certificate to send to the server. I'm not sure.
Andy
-Original Message-
From: Donie Kelly
To: 'Bodycombe, Andrew'; Donie Kelly; ''Tomcat Users List' '
Sent: 12/12/2002 16:14
Subject: [OT] RE: Creating a signed SSL certificate with my own CA
Here's a trace of the SSL using CATALINA_OPTS=-Djavax.net.debug=ALL
It's large so I'd appreciate if somebody who can understand this stuff
could
point me in some direction.
Thanks
Donie
Apache Tomcat/4.0.4
12 Dec 16:04:24 [RELAYSTARTUP] [INFO Alarms.144] BACKGOUND_THREADS
alarm
has been switched OFF
12 Dec 16:04:24 [LDAP Operator-MESSAGE-STORE] [INFO Alarms.144]
MESSAGE_STORE alarm has been switched OFF
12 Dec 16:04:25 [LDAP Operator-LDAP-CACHE] [INFO Alarms.144]
LDAP_CACHES
alarm has been switched OFF
Finalizer, SEND SSL v3.1 ALERT: warning, description = close_notify
Finalizer, WRITE: SSL v3.1 Alert, length = 2
[read] MD5 and SHA1 hashes: len = 3
: 01 03 00 ...
[read] MD5 and SHA1 hashes: len = 73
: 00 33 00 00 00 10 00 00 04 00 00 05 00 00 0A 01
.3..
0010: 00 80 07 00 C0 03 00 80 00 00 09 06 00 40 00 00
.@..
0020: 64 00 00 62 00 00 03 00 00 06 02 00 80 04 00 80
d..b
0030: 00 00 13 00 00 12 00 00 63 78 91 B2 8F 94 4C 65
cxLe
0040: EE F2 AD 21 F5 18 D7 A5 BB ...!.
HttpProcessor[443][4], READ: SSL v2, contentType = 22, translated
length =
65
*** ClientHello, v3.0
RandomCookie: GMT: 0 bytes = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 120,
145, 178, 143, 148, 76, 101, 238, 242, 173, 33, 245, 24, 215, 165, 187 }
Session ID: {}
Cipher Suites: { 0, 4, 0, 5, 0, 10, 0, 9, 0, 100, 0, 98, 0, 3, 0, 6, 0,
19,
0, 18, 0, 99 }
Compression Methods: { 0 }
***
%% Created: [Session-1, SSL_NULL_WITH_NULL_NULL]
matching server alias : client
*** ServerHello, v3.0
RandomCookie: GMT: 1022866086 bytes = { 75, 187, 79, 84, 25, 0, 159,
141,
94, 87, 237, 18, 177, 217, 24, 51, 123, 66, 77, 118, 51, 41, 57, 155,
56,
165, 203, 208 }
Session ID: {61, 248, 179, 166, 219, 88, 242, 12, 148, 68, 61, 81, 220,
184, 52, 137, 146, 135, 207, 23, 128, 188, 14, 47, 246, 149, 54, 36, 82,
54,
255, 253}
Cipher Suite: { 0, 19 }
Compression Method: 0
***
Cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=xenia.tecnomen.ie, OU=dad, O=tecnomen, ST=clare, C=IE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun DSA Public Key
Parameters:DSA
p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400
c31e3f80
b6512669
455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f
f26660b7
6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6
150f04fb
83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d
d14801c7
q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5
g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82
f9574c0b
3d078267
5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932
8cc8a6e1
3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62
7a01243b
cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b
fecf492a
y:
89fd70d7 22014032 6e0b42d6 50a1a02c 65ee48da c7497916 bd0c9042
e8f6cd36
54bd2e02 4a0af933 0b4135fe fae96972 a50bad43 920ec9ff f48ed90a
4f786f9b
89758fca a48330fa b55340ed b4d3edc2 ee8133ff ba083e46 6bee41cc
f47620ee
14d2762a 9f271fd9 6ced97ba e48abe17 286430f1 8dc36dea 5342ca5f
ff53abad
Validity: [From: Thu Dec 12 12:20:39 GMT+00:00 2002,
To: Fri Dec 12 12:20:39 GMT+00:00 2003]
Issuer: CN=tecnomen ca, OU=dad, O=tecnomen, L=shannon, ST=clare, C=IE
SerialNumber: [01]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
: 04 1F 16 1D 4F 70 65 6E 53 53 4C 20 47 65 6E 65 OpenSSL
Gene
0010: 72 61 74 65 64 20 43 65 72 74 69 66 69 63 61 74 rated
Certificat
0020: 65 e
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: FC 88 B1 F0 C6 7F 17 E0 FC CD B2 14 99 B1 2A AA
..*.
0010: 8D 67 53 51.gSQ
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: D8 18 22 CF F1 9D DE E6 0E 83 D3 04 E7 96 09 2C
