Hope someone can help. I've searched through the archives and this seems to be a common problem, but even detailed instructions have left me stumped. I'm trying to get client certificates to be required by tomcat by setting clientAuth=true but I can't seem to figure out how to get the client certificate to be accepted once I do that. Here's what I've done to generate all the appropriate files (parts coped from other posts to this list):
# Create a private key and certificate request openssl req -new -subj "/C=US/ST=North Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to "CERTIFICATE" # import ca.crt into the Trusted Root Certificates Store in IE #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file ca.pem -alias my_ca_alias -keypass changeit -storepass changeit # Create a file to hold CA's serial numbers. echo "02" > ca.srl # Create a keystore for the web server. keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for the web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit # Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key # Sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in client1.req -out client1.pem -days 365 # Generate a PKCS12 file containing client key and client certificate. openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out client1.p12 -name "Client" # Import the PKCS12 file into the web browser under Personal Certificates # edit the server.xml file and set clientAuth=true and keystoreFile to point to my server.keystore file. Once all this is done, neither IE nor my web app can talk to tomcat on the ssl port (8443)
