As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client.
This list is take from <JAVA_HOME_set_in_your_tomcat>\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. You will face a difference in comparism of the ca certs between nestcape / MS IE. Gru�, Wolfgang > -----Urspr�ngliche Nachricht----- > Von: Brian Palmer [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 26. Februar 2002 11:58 > An: [EMAIL PROTECTED] > Betreff: SSL Client authentication with standalone Tomcat > > > I'm trying to set up for a simple project client-authentication and CA > abilities, using standalone tomcat and openssl. I'm not having > luck. The short version is, when I enable clientAuth, I am unable to > connect to the server, getting various messages (in Mozilla 0.9.8, I > get no error messages but the page will not load, using openssl > s_client I get a write error). > > Forgive me in advance for this long message, but my hope is that by > explicitly stating what I'm doing, it will be easy for someone more > experienced to see where I'm going wrong. I've spent much of the last > 2 days searching online for information and trying different > approaches; most of the problems/solutions don't give a lot of details > > I've done the following: > > Step 1: Generate the tomcat request for certificate > keytool -genkey -alias tomcat -keyalg RSA > > keytool -certreq -alias tomcat -file my.csr > > Step 2: Generate the ca certificate > openssl req -new -newkey rsa:512 -nodes -out ca.req \ > -keyout ca.key > > openssl x509 -trustout -signkey ca.key -days 365 \ > -req -in ca.req -out ca.crt > > Step 3: Sign the tomcat request to generate tomcat certificate > openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ > -out my.crt -req -CAcreateserial > > Step 4: Import both into my keystore > keytool -import -file ca.crt -alias RootCert > > keytool -import -file my.crt -alias tomcat > > I can then stop and restart tomcat, and non-client-authenticated https > works. I then go on to > > Step 5: Generate a client certificate > openssl req -new -newkey rsa:512 -nodes \ > -out client.req -keyout client.key > > openssl x509 -CA ca.crt -CAkey ca.key \ > -req -in client.req \ > -out client.crt > > I then enable clientAuth="true", and try to connect to tomcat using > the openssl s_client: > openssl s_client -cert client.crt -key client.key \ > -connect localhost:8443 > and get the following output: > CONNECTED(00000003) > depth=1 /C=US/ST=California/L=Stanford/O=Stanford > University/OU=CSD/CN=UStorit [EMAIL PROTECTED] > verify error:num=19:self signed certificate in certificate chain > verify return:0 > write:errno=104 > > Any ideas? Or ideas on how to debug this? (I'm coming up against a > deadline, so any hints much appreciated) > > -- > Brian Palmer > "Whoever fights monsters should see to it that in the process he does > not become a monster. And when you look long into an abyss, the abyss > also looks into you" - Nietzsche > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
