"joelsherriff" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Well I have more info now. I turned on debugging and saw that I'm getting > a > 'null cert chain' SSLHandshakeException. So, > I started from scratch and went through each of my steps one by one and > I've > apparently got one of them wrong. Now when > I do these steps: > > # Create a private key and certificate request for your own CA: > openssl req -new -subj "/C=US/ST=New York/L=New York/CN=akuma-c" -newkey > rsa:1024 -nodes -out ca.csr -keyout ca.key > > # Create CA's self-signed certificate > openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out > ca.pem > > #Import the CA certificate into the JDK certificate authorities keystore: > keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file > ca.pem -alias myalias -keypass changeit >
This is either/or with truststoreFile (which, since you are using 4.1.x, is done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 & 5 it's configured like keystoreFile). However, you need to trust your CA cert (i.e. -trustcacerts). This (and everything I've said before) is assuming that you're using the Coyote Connector. I don't really remember how the (deprecated) Http11Connector works (and don't care enough to look it up :). > # Create a file to hold CA's serial numbers. > echo "02" > ca.srl > > # Create a keystore for web server. > keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg, > L=New > York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass > changeit -keysize 1024 -keystore server.keystore -storetype JKS > > # Create a certificate request for web server: > keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore > server.keystore -storepass changeit > > # Sign the certificate request: > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > server.csr -out server.crt -days 365 > > # Import the signed server certificate into the server keystore: > keytool -import -alias tomcat-sv -keystore > server.keystore -trustcacerts -file server.crt -storepass changeit > It's good practice to import the server CA as well, so that JSSE can send the entire chain, but at this point, I imagine you just want it to work ;-). It's also necessary if you are pointing your truststore to your keystore. > I get a 'Failed to establish chain from reply' exception at his point. > Since you re-created your CA, you would need to re-import it into your browser. However, I'm guessing that it's because of the lack of trust mentioned above. > > > ----- Original Message ----- > From: "joelsherriff" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[email protected]> > Sent: Saturday, March 26, 2005 11:24 AM > Subject: Re: Help with SSL & Cert config > > >> Ah. Thanks for the help, truly, but I'm still not getting there. I > didn't >> even know about the truststoreFile so I googled it and saw mention that > the >> easiest thing to do is to set the truststoreFile = the keystoreFile, >> since >> that already has the CA cert in it. So, I tried setting truststoreFile >> to >> point to my keystoreFile in server.xml. That didn't help. Then I saw > that >> there might be issues with setting truststoreFile in the server.xml in >> Tomcat 4.1 so I set it in CATALINA_OPTS like: >> >> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat >> 4.1/conf/server.keystore" >> >> and that didn't help either. Anything else I'm missing? >> >> >> ----- Original Message ----- >> From: "Bill Barker" <[EMAIL PROTECTED]> >> To: <[email protected]> >> Sent: Friday, March 25, 2005 10:13 PM >> Subject: Re: Help with SSL & Cert config >> >> >> > >> > "joelsherriff" <[EMAIL PROTECTED]> wrote in message >> > news:[EMAIL PROTECTED] >> > >I thought that's what this step: >> > > >> > > # Import the CA certificate into the server keystore: >> > > keytool -import -alias my_ca_alias -keystore >> > > server.keystore -trustcacerts -file ca.pem -keypass changeit >> > > >> > > was doing. No? >> > > >> > >> > No. That's putting it into your keystoreFile. The keystoreFile is to >> > identify you. The truststoreFile is to identify other people. >> > >> > > ----- Original Message ----- >> > > From: "Bill Barker" <[EMAIL PROTECTED]> >> > > To: <[email protected]> >> > > Sent: Friday, March 25, 2005 8:51 PM >> > > Subject: Re: Help with SSL & Cert config >> > > >> > > >> > >> You need to put your CA cert into your Tomcat truststoreFile. >> Otherwise, >> > >> you client's cert won't be trusted. >> > >> >> > >> "joelsherriff" <[EMAIL PROTECTED]> wrote in message >> > >> news:[EMAIL PROTECTED] >> > >> I'm resending this message because a) for some reason I didn't see >> > >> it >> on >> > > the >> > >> list after I sent it and b) I never got any responses (maybe because > of >> > >> _a_). So, if my original post did actually make it to the list, > please >> > >> forgive the re-post. >> > >> >> > >> Hope someone can help. I've searched through the archives and this >> seems >> > > to >> > >> be a common problem, but even detailed instructions >> > >> have left me stumped. I'm trying to get client certificates to be >> > > required >> > >> by tomcat by setting clientAuth=true but I can't seem to figure out > how >> > >> to get the client certificate to be accepted once I do that. Here's >> what >> > >> I've done to generate all the appropriate files (parts coped from >> > >> other posts to this list): >> > >> >> > >> Further elaboration of what we're trying to do: We want to require >> > >> client >> > >> authentication from our customers. So, IIUC, we'll have to send >> > >> them > a >> > >> signed client cert (p12) to install in their browser and java >> keystores. >> > >> Again, IIUC, importing the CA certificate, that was used to sign the >> > > client >> > >> cert, into the server keystore is what tells the server to accept >> > >> the >> > > client >> > >> certificate presented, because it will be signed by that CA (us). >> > >> Is >> my >> > >> understanding correct? If so, these steps appear to be correct, > unless >> > > I've >> > >> hosed something up along the way. >> > >> >> > >> # Create a private key and certificate request >> > >> openssl req -new -subj "/C=US/ST=North >> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out >> > >> ca.csr -keyout >> > >> ca.key >> > >> >> > >> # Create CA's self-signed certificate >> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in >> > >> ca.csr -out >> > > ca.pem >> > >> >> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to >> > >> "CERTIFICATE" >> > >> # import ca.crt into the Trusted Root Certificates Store in IE >> > >> >> > >> #Import the CA certificate into the JDK certificate authorities >> keystore: >> > >> keytool -import -keystore > "%JAVA_HOME%/jre/lib/security/cacerts" -file >> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit >> > >> >> > >> # Create a file to hold CA's serial numbers. >> > >> echo "02" > ca.srl >> > >> >> > >> # Create a keystore for the web server. >> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, >> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg >> RSA -keypass >> > >> changeit -storepass changeit -keysize 1024 -keystore >> > >> server.keystore -storetype JKS >> > >> >> > >> # Create a certificate request for the web server: >> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file >> server.csr -keystore >> > >> server.keystore -storepass changeit >> > >> >> > >> # Sign the certificate request: >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in >> > >> server.csr -out server.crt -days 365 >> > >> >> > >> # Import the signed server certificate into the server keystore: >> > >> keytool -import -alias tomcat-sv -keystore >> > >> server.keystore -trustcacerts -file server.crt -storepass changeit >> > >> >> > >> # Import the CA certificate into the server keystore: >> > >> keytool -import -alias my_ca_alias -keystore >> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit >> > >> >> > >> # Create a client certificate request: >> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout >> > > client1.key >> > >> >> > >> # Sign the client certificate. >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in >> > >> client1.req -out client1.pem -days 365 >> > >> >> > >> # Generate a PKCS12 file containing client key and client > certificate. >> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey > client1.key -out >> > >> client1.p12 -name "Client" >> > >> >> > >> # Import the PKCS12 file into the web browser under Personal >> Certificates >> > >> >> > >> # edit the server.xml file and set clientAuth=true and keystoreFile > to >> > > point >> > >> to my server.keystore file. >> > >> >> > >> Once all this is done, neither IE nor my web app can talk to tomcat > on >> > >> the >> > >> ssl port (8443) >> > >> >> > >> >> > >> >> > >> >> > >> --------------------------------------------------------------------- >> > >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> > >> For additional commands, e-mail: [EMAIL PROTECTED] >> > >> >> > >> >> > >> > >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
