Hi All
Nothing seems to work out for me whith client auth. Here is what 've done
CA and Certificates
1) perl CA.pl -newca
2) perl CA.pl -newreq
3) perl CA.pl -sign
4) openssl rsa < newreq.pem > server_key.pem
5) mv newcert.pem server_cert.pem
6) mv newreq.pem server_req.pem
7) perl CA.pl -newreq
8) perl CA.pl -sign
9) mv newreq.pem client_req.pem
10) mv newcert.pem client_cert.pem
11) openssl rsa < client_req.pem > client_key.pem
12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out
client.p12
13) openssl x509 -in server_cert.pem -out server.x509
14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem
-out server.p12
15) keytool -genkey -alias tomcat -storepass changeit
16) keytool -import -alias TomcatCA -file demoCA/cacert.pem
I then import the CA's self signed certificate to the clients machine
along with the p12 certficicate
My Tomcat-users.xml file
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="certs"/>
<role rolename="admin"/>
<user username="mahesh" password="mahesh" roles="admin,manager"/>
<user username="CN=Mahesh, OU=SAD, O=Robosoft, L=UDP, ST=Kar, C=IN"
password=""
roles="tomcat,certs"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
</tomcat-users>
Where am i going wrong? Even if the certificates are in the client's
mcahine the certificates identity windows alowys pop's up
Regards & Thanks
================
Mahesh S Kudva
-----Original Message-----
From: Mark Thomas <[EMAIL PROTECTED]>
To: Tomcat Users List <[email protected]>
Date: Tue, 03 May 2005 23:00:57 +0100
Subject: Re: Client Authentication
> The CN for your server cert can be anything you like but you will get a
> warning in your browser if the CN differs from how you express it in
> the
> URL.
>
> The user needs to look something like this
> <user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB"
> password="null" roles="tomcat,certs"/>
> in tomcat-users. It must be the full DN of the user certificate.
>
> HTH,
>
> Mark
>
> Mahesh S Kudva wrote:
> > Hi
> >
> > It seems like a silly question. But I am new to SSL and Certificates
> as
> > well as Tomcat.
> >
> > If my machines IP is 192.168.0.1 then I access tomcat as
> > https://192.168.0.1:8443. Keeping this mind should I give the Common
> Name
> > as 192.168.0.1 ???
> >
> > How do I specify the client info in the tomcat-users.xml?
> >
> > <user name=mahesh password=kudva role="admin">
> >
> > This is how my tomcat-users.xml file looks like.
> >
> > Regards & Thanks
> > ================
> > Mahesh S Kudva
> >
> >
> > -----Original Message-----
> > From: "lercoli" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[email protected]>
> > Date: Tue, 3 May 2005 14:33:46 +0200
> > Subject: Re: Client Authentication
> >
> >
> >>CA and Tomcat common name should be the same (localhost or better
> your
> >>DNS).
> >>First and Last Name of client sould the name of a Tomcat user
> declared
> >>in
> >>tomcat-users.xml.
> >>
> >>Luca Ercoli
> >>
> >>----- Original Message -----
> >>From: "Mahesh S Kudva" <[EMAIL PROTECTED]>
> >>To: "Tomcat Users List" <[email protected]>
> >>Sent: Tuesday, May 03, 2005 1:41 PM
> >>Subject: Re: Client Authentication
> >>
> >>
> >>
> >>>Hi
> >>>
> >>>What kind of information do i need to put in the fields of First and
> >>
> >>Last
> >>
> >>>name and Common name. Will any information do or is it required that
> >>
> >>I
> >>
> >>>need to put in the server address in the client.p12 certificate..
> >>>
> >>>Regards & Thanks
> >>>================
> >>>Mahesh S Kudva
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]>
> >>>To: "Tomcat Users List" <[email protected]>
> >>>Date: Mon, 02 May 2005 23:04:50 +0530
> >>>Subject: Re: Client Authentication
> >>>
> >>>
> >>>>Hi
> >>>>
> >>>>I tried with client.p12 first, when i failed I went on with
> >>>>client_cert.x509. I placed it in the personal folder ...
> >>>>
> >>>>Regards & Thanks
> >>>>================
> >>>>Mahesh S Kudva
> >>>>
> >>>>
> >>>>-----Original Message-----
> >>>>From: "lercoli" <[EMAIL PROTECTED]>
> >>>>To: "Tomcat Users List" <[email protected]>
> >>>>Date: Mon, 2 May 2005 17:31:54 +0200
> >>>>Subject: Re: Client Authentication
> >>>>
> >>>>
> >>>>>You should import only client.p12 certificate in IE browser and
> >>>>>when IE asks you in which folder you want to put it select
> >>
> >>Personal
> >>
> >>>>>Folder.
> >>>>>
> >>>>>I hope it helps you.
> >>>>>
> >>>>>Luca Ercoli
> >>>>>
> >>>>>
> >>>>>----- Original Message -----
> >>>>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]>
> >>>>>To: <[email protected]>
> >>>>>Sent: Monday, May 02, 2005 5:08 PM
> >>>>>Subject: Client Authentication
> >>>>>
> >>>>>
> >>>>>
> >>>>>>Dear All
> >>>>>>
> >>>>>>I've been able to setup Tomcat 5.0.30 successfully on port
> >>
> >>8443. I
> >>
> >>>>>want to
> >>>>>
> >>>>>>use client authentication. Hence i've enabled clientAuth=true
> >>
> >>in
> >>
> >>>>>>server.xml
> >>>>>>
> >>>>>>Running on Mac OS X these were the commands to create a CA and
> >>
> >>sign
> >>
> >>>>a
> >>>>
> >>>>>>certificate using this CA.
> >>>>>>
> >>>>>>Creating a new CA:
> >>>>>>1) perl CA.pl -newca
> >>>>>>
> >>>>>>Certificate request using openssl:
> >>>>>>1) perl CA.pl -newreq
> >>>>>>2) perl CA.pl -sign
> >>>>>>3) mv newreq.pem client_req.pem
> >>>>>>4) mv newcert.pem client_cert.pem
> >>>>>>5) openssl rsa < client_req.pem > client_key.pem
> >>>>>>6) openssl pkcs12 -export -in client_cert.pem -inkey
> >>
> >>client_key.pem
> >>
> >>>>>-out
> >>>>>
> >>>>>> client.p12
> >>>>>>
> >>>>>>For Tomcat using Java keytool to request certificate:
> >>>>>>1) openssl x509 -in server_cert.pem -out server.x509
> >>>>>>2) openssl pkcs12 -export -in server_cert.pem -inkey
> >>
> >>server_key.pem
> >>
> >>>>>> -out server.p12
> >>>>>>3) keytool -genkey -alias meAsClient -storepass changeit
> >>>>>>4) keytool -certreq -alias measclient -file client.csr
> >>
> >>-storepass
> >>
> >>>>>changeit
> >>>>>
> >>>>>>5) openssl x509 -req -CA demoCA/cacert.pem -CAkey
> >>>>>> demoCA/private/cakey.pem -extensions v3_ca -in client.csr
> >>>>
> >>>>-inform
> >>>>
> >>>>>DER
> >>>>>
> >>>>>> -out client_cert.x509 -CAcreateserial
> >>>>>>6) keytool -import -alias butterflyCA -keystore /Syst..
> >>>>>
> >>>>>..urity/cacerts
> >>>>>
> >>>>>> -file ../CA/demoCA/cacert.pem
> >>>>>>7) keytool -import -alias measclient -keystore clientstore
> >>>>>
> >>>>>-trustcacerts
> >>>>>
> >>>>>> -file client_cert.x509
> >>>>>>
> >>>>>>
> >>>>>>Following these commands I dont get any errors. I then import
> >>
> >>the
> >>
> >>>>>>cacert.pem, the ROOT CA certificate and the client.p12 and
> >>>>>>client_cert.x509 to the browser I.E 6.0. But still there is a
> >>
> >>popup
> >>
> >>>>>>requesting for the clients identity and it asks me to select a
> >>>>>>certificate and no certificates are displayed.
> >>>>>>
> >>>>>>How can I go about this?
> >>>>>>
> >>>>>>
> >>>>>>All suggestion and ideas are welcome.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>Regards & Thanks
> >>>>>>================
> >>>>>>Mahesh S Kudva
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>-------------------------------------------------------
> >>>>>>Robosoft Technologies - Partners in Product Development
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>---------------------------------------------------------------------
> >>
> >>>>>>To unsubscribe, e-mail:
> >>
> >>[EMAIL PROTECTED]
> >>
> >>>>>>For additional commands, e-mail:
> >>>>
> >>>>[EMAIL PROTECTED]
> >>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>---------------------------------------------------------------------
> >>
> >>>>>To unsubscribe, e-mail:
> >>
> >>[EMAIL PROTECTED]
> >>
> >>>>>For additional commands, e-mail:
> >>
> >>[EMAIL PROTECTED]
> >>
> >>>
> >>>
> >>>-------------------------------------------------------
> >>>Robosoft Technologies - Partners in Product Development
> >>>
> >>>
> >>>
> >>>--------------------------------------------------------------------
> -
> >>>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>>For additional commands, e-mail: [EMAIL PROTECTED]
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
> > -------------------------------------------------------
> > Robosoft Technologies - Partners in Product Development
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
-------------------------------------------------------
Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
