please don't import every client certificate into your server truststore! that's why you can use a 'certification chain'. you create your own CA and import this CA into your truststore. you can find your trust store there: [jdk-home]/jre/lib/security/cacerts (the default password is: changeit)
then create a server certificate and sign it with your CA
don't forget to set the naming correct in your server ssl certificate:
What is your first and last name?
[Unknown]: www.mydomain.com
if you name it the wrong way the browser pops up a message to verify the server name.
then create your client certificates and sign them with your CA. (you don't need to import them into your truststore. you trust your truststore and all 'children' of it!)
you can export the CA certificate (make a .cer file) an import this into the browser.
here you find a good howto to create certification chains for FreeS/WAN.
in this howto you find everything you need (step-by-step) to use it with tomcat. just import the certs with the java keytool into the keystore and cacerts files.
i hope this helps! cu, joe
[EMAIL PROTECTED] wrote:
Joe,
I've also been trying to do this for ages. I assume you import the client certificate into the server trustore. How does the server know where to look for this truststore ?
Thanks
Dave
-----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 08:49 To: Tomcat Users List Subject: Re: Tomcat SSL mutual authentication: Nobody's got a clue?
first of all: use jdk1.4.x !!! i found a bug in the old implementatin. if someone is interrested i can search in my archive to describe the bug.
here is how to patch the tomcat 4.1.x to handle to make client authentication 'optional':
in the java class: org.apache.tomcat.util.net.jsse.JSSESocketFactory
you find 2 times this method call: .setNeedClientAuth(clientAuth); change this to: .setWantClientAuth(clientAuth);
thats it!
and don't forget to change your server.xml:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<!--^M -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="100" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile="/root/certs/java.concrete-it.com.keystore"
keystorePass="changeit" />
</Connector>
here is my link collection for ssl: http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html http://developer.java.sun.com/developer/qow/archive/169/index.jsp http://www.catgen.com/developer/manual/ssl.html#jbosscatalina
you can find a lot of howtos how to make your own CA , server cert and client certs.
hope this helps, joe
joe wrote:
hi,
it's true that there is no 'step-by-step' howto for tomcat, but there are many other ssl (and client auth) howtos which you can use for tomcat.
the only thing is just a little bit of searching and reading about ssl, CA, X509 certificates, certification chains ...
i have succesfully established ssl connections with (mutual) client certificates. i'll try to find the howto's i've used and post it here (i hope i'll find them again).
i haven't used CRL's - i'm sure there are howtos 'out there'.
and: it's true that tomcat does NOT support mutual client auth ! but i've read a little bit of the doc's and the source code and pathed my tomcat 4.1.x to change the ssl client auth behavior to mutual.
cu, joe
Mark Liu wrote:
Hi,
No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server.
You have an idea about how to turn on client cert?
--- Norris Shelton <[EMAIL PROTECTED]> wrote:
That about sums it up. We are looking at client---------------------------------------------------------------------
certs also. The Tomcat docs say how to turn on client
authentication, but
there is not much out there on hooking up to a CA
and verifying
against a CRL. All of that is beyond the scope of this list and
dives deep into
the realm of JCE.
We are looking into going with a vendor (probably VeriSign).
--- Mark Liu <[EMAIL PROTECTED]> wrote:
For over 1 week, I've been exploring about this.So
live on yourfar, I got no reply. Is this so professional, so tough that nobody's got a clue?
__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness,
desktop! http://platinum.yahoo.com
---------------------------------------------------------------------=====To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton
__________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
