Thanks I'll turn it on and get back her if the logs don't help me...
Donie -----Original Message----- From: Bodycombe, Andrew [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 14:58 To: 'Donie Kelly '; ''Tomcat Users List' ' Subject: RE: Creating a signed SSL certificate with my own CA You can turn SSL debugging by setting the following environment variable CATALINA_OPTS="-Djavax.net.debug=ALL" Then, restart tomcat. You will then see much more info in the log. This might help you to debug your problem. Andy. -----Original Message----- From: Donie Kelly To: 'Tomcat Users List' Sent: 12/12/2002 14:11 Subject: RE: Creating a signed SSL certificate with my own CA Just to clarify, when I try to connect via SSL the SSL Handshake fails. Donie -----Original Message----- From: Donie Kelly [mailto:[EMAIL PROTECTED]] Sent: 12 December 2002 12:08 To: 'Tomcat Users List' Subject: Creating a signed SSL certificate with my own CA Hi all I'm really stuck here and I'd appreciate some help. To summarise, I've followed the instructions below to generate a CA key so that I can sign my own certificates for use with tomcat. The instructions below work and the ca.crt and client.crs.der certs that pop out are viewable in IE. If I import the CA key it shows the client.crs.der key with the CA above. Everything looks great. Then I use the testkeys with tomcat <Connector className="org.apache.catalina.connector.http.HttpConnector" address="192.168.1.4" port="443" enableLookups="true" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="c:\tomcat4.0\conf\testkeys" keystorePass="changeit" /> </Connector> Now when I try to connect with SLL from IE it just shows Cannot find server or DNS Error What am I doing wrong? Are the certs I am creating suitable for SLL with Tomcat. I'd really appreciate some help. Donie PS: Instructions from http://www.ddj.com/documents/s=870/ddj0102a/0102a.htm Certificate Authority In a nutshell, what I'm suggesting is that you create your own Certificate Authority (CA) to sign your keys. This gets complicated because nothing in the Java Development Kit or JSSE lets you set up a CA and sign keys. You have to go elsewhere for tools to do this. I chose to go with the OpenSSL toolkit (http://www.openssl.org/) running on Linux. There are toolsets available from other vendors and platforms, however. If you choose to use a different toolset, you will just have to substitute the appropriate commands; the theory is the same no matter what. First, you need to generate your CA's key. That key is used to sign all the other application keys. The OpenSSL toolkit comes configured to setup a CA from whatever directory you start it in. This means that you need to use all the CA commands from the same directory. In the sample code, you'll find the CA directory that I used to generate the CA key and sign all the application keys: 1.Generate the CA key $ openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You are prompted for location information for the certificate. Enter whatever you want, but make sure you enter something for each field: 3.Setup the OpenSSL CA tools $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt $ cp ca.crt demoCA/ $ echo "01" > demoCA/serial You now can create the client application's key store and export its public key so your CA can sign it. You can enter whatever you want for all the location information, but again make sure you enter something - standard alphanumeric characters and spaces, but no underscores or other special characters - for every field: 4.Create a new key store for the client application $ keytool -keystore testkeys -genkey - alias client When prompted, enter passphrase for the password to use this keystore with the sample applications. 5.Export the client's public key $ keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key -cert ca.crt At this point, you should have a file called "client.crs.pem," which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the testkeys keystore: 7.Convert to DER format $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt 9.Import signed key into client's key store $ keytool -keystore testkeys -alias client -import -file client.crs.der Step 8 must be completed so that the keytool command agrees to import the signed key. While importing the signed key, keytool checks the signatories to ensure that their signatures can be validated. They can be validated if their public keys are in the key store. Once you have completed all of these steps, move the testkeys key store to the client directory. Start over with step 4 and create a key store for the server process. Just substitute "server" everywhere you see "client." Make sure you enter something different in one of the location fields (organizational unit would be a good choice). -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
