"Julian W H Osborne" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Dear All,
I've been trying to get client/server certificates working with tomcat now for a while and I'm not having much success. I have generated certificates which have worked successfully with apache but not tomcat.
I decided to script what I needed to do, so hopefully if anyone can see a problem with what I am doing they can help!!
I've modified the servers.xml file to clientAuth="true" (btw everything works if it is false), and I've added the path for the key store and the password for the key store, other than that there is nothing unusual in the the config file.
Well, that's your problem then ;-). You need to configure your truststore to tell Tomcat how to validate client certs. For TC 5.x.x, you need to add truststoreFile="/path/to/trust.store" and truststorePass="<your-password-here>" to your <Connector> element in server.xml.
Okay, I'm using version 4.1.29. I've added in truststoreFile and truststorePass. I've pointed truststoreFile at the same keystore as I'm using for keystoreFile. But I'm still having a problem. If I use Firefox to test it I get "Could not establish an encrypted connection because your certificate was rejected by ...."
I have imported the client side cert into firefox.
Still stumped!
Thanks in advance
Julian
The openssl.cnf file has only been modified to include valid DN enteries.
I've pasted the script I am using below.
Any help greatfully received.
Thanks
Julian
#!/bin/sh
SSL_DIR=/usr/share/ssl/
JAVA_BIN=/usr/java/j2sdk1.4.2_04/jre/bin/ KEYTOOL=${JAVA_BIN}keytool KEYSTORE_TYPE=jks KEYSTORE=${SSL_DIR}java/$1-keystore.${KEYSTORE_TYPE}
echo Extracting Private Key ....... echo "Enter Private Key Password: " stty_orig=`stty -g` stty -echo read PASSWORD stty $stty_orig
DN='CN='$1', OU=it-dept, O=IMS MAXIMS Plc, L=Milton Keynes, S=Buckinghamshire, C=GB'
CACERT=${SSL_DIR}imscacert.pem
cd ${SSL_DIR}java
echo Using ${DN} .......
echo Generating key .......
${KEYTOOL} -genkey -dname "${DN}" -alias tomcat -keyalg RSA -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -keypass ${PASSWORD} -storepass ${PASSWORD}
echo Generating certificate request .......
${KEYTOOL} -certreq -keyalg RSA -alias tomcat -file $1.csr -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -storepass ${PASSWORD} -keypass ${PASSWORD}
echo Exporting key .......
${KEYTOOL} -export -alias tomcat -keystore ${KEYSTORE} -file $1-exported.crt -storepass ${PASSWORD}
echo Converting key .......
openssl x509 -out $1-exported.pem -outform pem -text -in $1-exported.crt -inform der
${JAVA_BIN}java ExportPriv ${KEYSTORE} tomcat ${PASSWORD} > $1.key
cp $1.csr ${SSL_DIR}clients/requests/ cp $1.key ${SSL_DIR}clients/keys/
cd ${SSL_DIR}clients
echo Signing server-side certificate ....... openssl ca -out ./completed/$1.crt -infiles ./requests/$1.csr
echo Converting certificate ....... openssl x509 -in ./completed/$1.crt -out ./completed/$1.pem
echo Signing client-side certificate
openssl pkcs12 -export -in ./completed/$1.pem -inkey ./keys/$1.key -out ./client-side/$1.p12
cd ${SSL_DIR}java
echo Updating root certificate in keystore .......
${KEYTOOL} -import -trustcacerts -alias "IMS MAXIMS CA" -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${CACERT} -storepass ${PASSWORD}
echo Updating server-side certificate in keystore
${KEYTOOL} -import -trustcacerts -alias tomcat -keystore ${KEYSTORE} -storetype ${KEYSTORE_TYPE} -file ${SSL_DIR}clients/completed/$1.pem -storepass ${PASSWORD}
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
