Ah. Thanks for the help, truly, but I'm still not getting there. I didn't even know about the truststoreFile so I googled it and saw mention that the easiest thing to do is to set the truststoreFile = the keystoreFile, since that already has the CA cert in it. So, I tried setting truststoreFile to point to my keystoreFile in server.xml. That didn't help. Then I saw that there might be issues with setting truststoreFile in the server.xml in Tomcat 4.1 so I set it in CATALINA_OPTS like:
-Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat 4.1/conf/server.keystore" and that didn't help either. Anything else I'm missing? ----- Original Message ----- From: "Bill Barker" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, March 25, 2005 10:13 PM Subject: Re: Help with SSL & Cert config > > "joelsherriff" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > >I thought that's what this step: > > > > # Import the CA certificate into the server keystore: > > keytool -import -alias my_ca_alias -keystore > > server.keystore -trustcacerts -file ca.pem -keypass changeit > > > > was doing. No? > > > > No. That's putting it into your keystoreFile. The keystoreFile is to > identify you. The truststoreFile is to identify other people. > > > ----- Original Message ----- > > From: "Bill Barker" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Friday, March 25, 2005 8:51 PM > > Subject: Re: Help with SSL & Cert config > > > > > >> You need to put your CA cert into your Tomcat truststoreFile. Otherwise, > >> you client's cert won't be trusted. > >> > >> "joelsherriff" <[EMAIL PROTECTED]> wrote in message > >> news:[EMAIL PROTECTED] > >> I'm resending this message because a) for some reason I didn't see it on > > the > >> list after I sent it and b) I never got any responses (maybe because of > >> _a_). So, if my original post did actually make it to the list, please > >> forgive the re-post. > >> > >> Hope someone can help. I've searched through the archives and this seems > > to > >> be a common problem, but even detailed instructions > >> have left me stumped. I'm trying to get client certificates to be > > required > >> by tomcat by setting clientAuth=true but I can't seem to figure out how > >> to get the client certificate to be accepted once I do that. Here's what > >> I've done to generate all the appropriate files (parts coped from > >> other posts to this list): > >> > >> Further elaboration of what we're trying to do: We want to require > >> client > >> authentication from our customers. So, IIUC, we'll have to send them a > >> signed client cert (p12) to install in their browser and java keystores. > >> Again, IIUC, importing the CA certificate, that was used to sign the > > client > >> cert, into the server keystore is what tells the server to accept the > > client > >> certificate presented, because it will be signed by that CA (us). Is my > >> understanding correct? If so, these steps appear to be correct, unless > > I've > >> hosed something up along the way. > >> > >> # Create a private key and certificate request > >> openssl req -new -subj "/C=US/ST=North > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out > >> ca.csr -keyout > >> ca.key > >> > >> # Create CA's self-signed certificate > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out > > ca.pem > >> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to > >> "CERTIFICATE" > >> # import ca.crt into the Trusted Root Certificates Store in IE > >> > >> #Import the CA certificate into the JDK certificate authorities keystore: > >> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit > >> > >> # Create a file to hold CA's serial numbers. > >> echo "02" > ca.srl > >> > >> # Create a keystore for the web server. > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass > >> changeit -storepass changeit -keysize 1024 -keystore > >> server.keystore -storetype JKS > >> > >> # Create a certificate request for the web server: > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore > >> server.keystore -storepass changeit > >> > >> # Sign the certificate request: > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > >> server.csr -out server.crt -days 365 > >> > >> # Import the signed server certificate into the server keystore: > >> keytool -import -alias tomcat-sv -keystore > >> server.keystore -trustcacerts -file server.crt -storepass changeit > >> > >> # Import the CA certificate into the server keystore: > >> keytool -import -alias my_ca_alias -keystore > >> server.keystore -trustcacerts -file ca.pem -keypass changeit > >> > >> # Create a client certificate request: > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout > > client1.key > >> > >> # Sign the client certificate. > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > >> client1.req -out client1.pem -days 365 > >> > >> # Generate a PKCS12 file containing client key and client certificate. > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out > >> client1.p12 -name "Client" > >> > >> # Import the PKCS12 file into the web browser under Personal Certificates > >> > >> # edit the server.xml file and set clientAuth=true and keystoreFile to > > point > >> to my server.keystore file. > >> > >> Once all this is done, neither IE nor my web app can talk to tomcat on > >> the > >> ssl port (8443) > >> > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
