Dear All,
I've been trying to get client/server certificates working with tomcat now for a while and I'm not having much success. I have generated certificates which have worked successfully with apache but not tomcat.
I decided to script what I needed to do, so hopefully if anyone can see a problem with what I am doing they can help!!
I've modified the servers.xml file to clientAuth="true" (btw everything works if it is false), and I've added the path for the key store and the password for the key store, other than that there is nothing unusual in the the config file.
The openssl.cnf file has only been modified to include valid DN enteries.
I've pasted the script I am using below.
Any help greatfully received.
Thanks
Julian
#!/bin/sh
SSL_DIR=/usr/share/ssl/
JAVA_BIN=/usr/java/j2sdk1.4.2_04/jre/bin/
KEYTOOL=${JAVA_BIN}keytool
KEYSTORE_TYPE=jks
KEYSTORE=${SSL_DIR}java/$1-keystore.${KEYSTORE_TYPE}echo Extracting Private Key ....... echo "Enter Private Key Password: " stty_orig=`stty -g` stty -echo read PASSWORD stty $stty_orig
DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes, S=Buckinghamshire, C=GB'
CACERT=${SSL_DIR}imscacert.pemcd ${SSL_DIR}javaecho Using ${DN} .......echo Generating key .......
${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} -storepass ${PASSWORD}
echo Generating certificate request .......
${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} -keypass ${PASSWORD}
echo Exporting key .......
${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file $1-exported.crt -storepass ${PASSWORD}
echo Converting key .......
openssl x509 -out $1-exported.pem -outform pem -text -in $1-exported.crt -inform der
${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.keycp $1.csr ${SSL_DIR}clients/requests/
cp $1.key ${SSL_DIR}clients/keys/cd ${SSL_DIR}clientsecho Signing server-side certificate ....... openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr
echo Converting certificate ....... openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem
echo Signing client-side certificate
openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key -out ./client-side/$1.p12
cd ${SSL_DIR}javaecho Updating root certificate in keystore .......
${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA" -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass ${PASSWORD}
echo Updating server-side certificate in keystore
${KEYTOOL} -import -trustcacerts -alias tomcat -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${SSL_DIR}clients/completed/$1.pem -storepass ${PASSWORD}
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
