"Julian W H Osborne" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Dear All,
>
> I've been trying to get client/server certificates working with tomcat now
> for a while and I'm not having much success. I have generated
> certificates which have worked successfully with apache but not tomcat.
>
> I decided to script what I needed to do, so hopefully if anyone can see a
> problem with what I am doing they can help!!
>
> I've modified the servers.xml file to clientAuth="true" (btw everything
> works if it is false), and I've added the path for the key store and the
> password for the key store, other than that there is nothing unusual in
> the the config file.
>
Well, that's your problem then ;-). You need to configure your truststore
to tell Tomcat how to validate client certs. For TC 5.x.x, you need to add
truststoreFile="/path/to/trust.store" and
truststorePass="<your-password-here>" to your <Connector> element in
server.xml.
> The openssl.cnf file has only been modified to include valid DN enteries.
>
> I've pasted the script I am using below.
>
> Any help greatfully received.
>
> Thanks
>
>
> Julian
>
>
> #!/bin/sh
>
> SSL_DIR=/usr/share/ssl/
>
> JAVA_BIN=/usr/java/j2sdk1.4.2_04/jre/bin/
> KEYTOOL=${JAVA_BIN}keytool
> KEYSTORE_TYPE=jks
> KEYSTORE=${SSL_DIR}java/$1-keystore.${KEYSTORE_TYPE}
>
> echo Extracting Private Key .......
> echo "Enter Private Key Password: "
> stty_orig=`stty -g`
> stty -echo
> read PASSWORD
> stty $stty_orig
>
> DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes,
> S=Buckinghamshire, C=GB'
>
> CACERT=${SSL_DIR}imscacert.pem
>
> cd ${SSL_DIR}java
>
> echo Using ${DN} .......
>
> echo Generating key .......
> ${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore
> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} -storepass
> ${PASSWORD}
>
> echo Generating certificate request .......
> ${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore
> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} -keypass
> ${PASSWORD}
>
> echo Exporting key .......
> ${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file
> $1-exported.crt -storepass ${PASSWORD}
>
> echo Converting key .......
> openssl x509 -out $1-exported.pem -outform pem -text -in
> $1-exported.crt -inform der
>
> ${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.key
>
> cp $1.csr ${SSL_DIR}clients/requests/
> cp $1.key ${SSL_DIR}clients/keys/
>
> cd ${SSL_DIR}clients
>
> echo Signing server-side certificate .......
> openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr
>
> echo Converting certificate .......
> openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem
>
> echo Signing client-side certificate
> openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key -out
> ./client-side/$1.p12
>
> cd ${SSL_DIR}java
>
> echo Updating root certificate in keystore .......
> ${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA" -keystore
> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass
> ${PASSWORD}
>
> echo Updating server-side certificate in keystore
> ${KEYTOOL} -import -trustcacerts -alias tomcat -keystore
> ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file
> ${SSL_DIR}clients/completed/$1.pem -storepass ${PASSWORD}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
