Clere, Jean-Frederic wrote:
> Steven Bradley wrote:
>
>> I'm using Tomcat 4.0 standalone on Windows 2000 and am having trouble
>> getting SSL client authentication working (getting SSL server auth
>> working was a snap). Here's what I've done so far:
>>
>> * created a self-signed client cert using openSSL (key usage includes
>> digital signature)
>> * imported client cert (and private key) into Internet Explorer (by
>> way of a PKCS#12 file)
>> * imported the Tomcat JKS file with the client certificate
>
>
> CA file?
>
>> * configure tomcat server.xml file as follows:
>>
>> <Connector
>> className="org.apache.catalina.connector.http.HttpConnector"
>> port="443"
>> minProcessors="5"
>> maxProcessors="75"
>> enableLookups="true"
>> acceptCount="10"
>> debug="0"
>> scheme="https"
>> secure="true">
>> <Factory
>> className="org.apache.catalina.net.SSLServerSocketFactory"
>> clientAuth="true"
>> keystoreFile="conf/server.keystore"
>> keystorePass ="password"
>> protocol="TLS"/>
>> </Connector>
>>
>> * stop/start tomcat
>> * point IE browser to https://localhost/index.html
>>
>> What IE tells me is that the page can't be displayed (after some
>> handshaking attempts). Unfortunately, there is no log info generated
>> (even if I increase the debug param in the <Connector> element).
>
>
> Try with Mozilla or with openssl (something like: openssl s_client -port
> 8443 -host localhost).
> Does it work when clientAuth="false"?
>
>>
>> Any clues as to what I may be doing wrong? Has ANYONE been able to
>> get SSL client authentication working with Tomcat 4.0 standalone
>> (Catalina).
>
>
> Sure I tested it... It worked ok.
I have found a document that I wrote at that time:
+++
Steps to set up a demoCA and user certificates:
1 - /usr/local/ssl/misc/CA.pl -newca
This creates a demoCA directory that contains the CA certificates.
2 - /usr/local/ssl/misc/CA.pl -newreq
This creates a newreq.pem that contains the private key and request.
3 - separe the request and private key.
Put the private key is key.pem and the request in newreq.pem
4 - /usr/local/ssl/misc/CA.pl -signreq
It displays the certificate before signing it.
The result is in newcert.pem
5 - /usr/local/ssl/bin/openssl pkcs12 -export -inkey key.pem \
-in newcert.pem -out test.p12
The test.p12 contains a file that can be imported in the browser.
6 - import in the browser the test.p12 file.
7 - Add the CA cert in the $JAVA_HOME/jre/lib/security/cacerts
chmod u+w $JAVA_HOME/jre/lib/security/cacerts
$JAVA_HOME/keytool -import -trustcacerts -file demoCA/cacert.pem \
-keystore $JAVA_HOME/jre/lib/security/cacerts
+++
> Make sure the CA that has signed your certificates is in the CA file
> ($JAVA_HOME/jre/lib/security/cacerts or something).
>
>>
>> Thanks in advance
>> -- Steven
>>
>>
>> --
>> To unsubscribe, e-mail:
>> <mailto:[EMAIL PROTECTED]>
>> For additional commands, e-mail:
>> <mailto:[EMAIL PROTECTED]>
>>
>>
>
>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
