I can create a single key and use that. it works ok. When i try to sign the key using my own ca is where the problem is happening.
Donie -----Original Message----- From: Christoph Fischer [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:35 To: Tomcat Users List Subject: Re: Creating a signed SSL certificate with my own CA Maybe you have an entry for a special proxy-server in you IE for SSL-connections ? I've created a key with the keytool from j2sdk1.4.1 and it works without problem Chris Donie Kelly wrote: >Hi all >I'm really stuck here and I'd appreciate some help. To summarise, I've >followed the instructions below to generate a CA key so that I can sign my >own certificates for use with tomcat. The instructions below work and the >ca.crt and client.crs.der certs that pop out are viewable in IE. If I import >the CA key it shows the client.crs.der key with the CA above. Everything >looks great. >Then I use the testkeys with tomcat > <Connector className="org.apache.catalina.connector.http.HttpConnector" >address="192.168.1.4" port="443" enableLookups="true" scheme="https" >secure="true"> > <Factory >className="org.apache.catalina.net.SSLServerSocketFactory" >clientAuth="false" protocol="TLS" keystoreFile="c:\tomcat4.0\conf\testkeys" > keystorePass="changeit" /> > </Connector> >Now when I try to connect with SLL from IE it just shows >Cannot find server or DNS Error >What am I doing wrong? Are the certs I am creating suitable for SLL with >Tomcat. I'd really appreciate some help. >Donie > >PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm >Certificate Authority >In a nutshell, what I'm suggesting is that you create your own Certificate >Authority (CA) to sign your keys. This gets complicated because nothing in >the Java Development Kit or JSSE lets you set up a CA and sign keys. You >have to go elsewhere for tools to do this. I chose to go with the OpenSSL >toolkit (http://www.openssl.org/) running on Linux. There are toolsets >available from other vendors and platforms, however. If you choose to use a >different toolset, you will just have to substitute the appropriate >commands; the theory is the same no matter what. >First, you need to generate your CA's key. That key is used to sign all the >other application keys. The OpenSSL toolkit comes configured to setup a CA >from whatever directory you start it in. This means that you need to use all >the CA commands from the same directory. In the sample code, you'll find the >CA directory that I used to generate the CA key and sign all the application >keys: >1.Generate the CA key >$ openssl genrsa -rand -des -out ca.key 1024 >2.Create a self signed certificate >$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt >You are prompted for location information for the certificate. Enter >whatever you want, but make sure you enter something for each field: >3.Setup the OpenSSL CA tools >$ mkdir demoCA >$ mkdir demoCA/newcerts >$ touch demoCA/index.txt >$ cp ca.crt demoCA/ >$ echo "01" > demoCA/serial >You now can create the client application's key store and export its public >key so your CA can sign it. You can enter whatever you want for all the >location information, but again make sure you enter something - standard >alphanumeric characters and spaces, but no underscores or other special >characters - for every field: >4.Create a new key store for the client application >$ keytool -keystore testkeys -genkey - alias client >When prompted, enter passphrase for the password to use this keystore with >the sample applications. >5.Export the client's public key >$ keytool -keystore testkeys -certreq -alias client -file client.crs >6.Sign the client's key with our CA key >$ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem >-keyfile ca.key -cert ca.crt >At this point, you should have a file called "client.crs.pem," which is the >signed public key. It needs to be converted to a format suitable for the >JDK's keytool command, and then imported into the testkeys keystore: >7.Convert to DER format >$ openssl x509 -in client.crs.pem -out client.crs.der -outform DER >8.Import CA certificate into client's key store >$ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt >9.Import signed key into client's key store >$ keytool -keystore testkeys -alias client -import -file client.crs.der >Step 8 must be completed so that the keytool command agrees to import the >signed key. While importing the signed key, keytool checks the signatories >to ensure that their signatures can be validated. They can be validated if >their public keys are in the key store. >Once you have completed all of these steps, move the testkeys key store to >the client directory. Start over with step 4 and create a key store for the >server process. Just substitute "server" everywhere you see "client." Make >sure you enter something different in one of the location fields >(organizational unit would be a good choice). > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
