I would have thought that the Java APIs would have allowed you to do this. As far as openssl in concerned, it is just command line stuff, so you can always use the Runtime.exec() to run openssl. I think there is a -dname option for openssl so you can just put the cert request answers on the command-line as well, and not have to answer these through standardin/standardout.
Good luck. -----Original Message----- From: Ronald Spiers [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 11:15 AM To: Tomcat Users List Subject: Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat? Hi Mark, thans a lot for your comments. The problem is that I found a way to generate via API a PKCS12 keystore for my client, but it won't be based on my server's certificate. I could not find a way to auto-enroll users using openssl and Java, I mean control openssl commands from Java to create PKCS12 keystores they can import, already signed by my server certificate, so that my server will trust in them without having to reload the Truststore (if I understood well you last paragraph). That's why I was looking into this problem, once I was able to create these clients certificates via API ( CertAndKeyGen.getSelfCertificate() ) and store the client certificates into my truststore, I thought the natural next step was to reload the truststore in some way, because these certificates are not linked to my server-certificate and the server must verify them. It seems I have to resort to openssl to sign them with my server's certificate, but I don't know how to do that programatically with Java. I searched the tomcat archives and found that others comfronted this problem and probably shared my misconception of the certificate system, but no one reported it as solved, either by doing it the right way via openssl or finally implementing a trustManager, or something like that using JSSE APIs (which is what I would prefer). Thanks for the links anyway, if you have some resource about controlling the process via openssl with Java, please share it with me. Regards. On 6/11/07, Mark Claassen <[EMAIL PROTECTED]> wrote: > Humm. I don't think this is how the certificate system is supposed to > be used. The intention is that the truststore handles certificates > authorities you trust. > > For an example, let's switch to the browser. > > Browsers generally trust Verisgn and Thwart out of the box. You can > see these certificates in your browser's options pages. > > So, let's say you go to amazon.com. Amazon will have a certificate > that was created for them by, say, Verisign. Your browser will get > the amazon certificate and see that it was created by verisign. Since > your browser already trusts verisign, it will trust that amazon is who it says it is. > (Verifying identity is the certificate's primary function.) > > Tomcat works the same way. So, in your case, maybe you want to create > your own certificate and put it into your truststore. Then, as you > create certificates for other's, you create them based on the > certificate you loaded into your truststore. Since Tomcat already > trusts this one, all the certificates you create and give to others > will also be trusted...no reconfiguration necessary. > > Mark > > Some helpful links: > > http://www.tc.umn.edu/~brams006/selfsign.html > http://www.openssl.org/docs/apps/x509.html > http://www.openssl.org/docs/apps/pkcs12.html > > > -----Original Message----- > From: Ronald Spiers [mailto:[EMAIL PROTECTED] > Sent: Monday, June 11, 2007 10:21 AM > To: [email protected] > Subject: Reloading keystore - how to register a new TrusStore Manager > for Tomcat? > > Hi, I am preparing a self enrollment webapp for generating client > certificates and adding them to the server keystore. I know that > Tomcat won't reload keystore unless the server is restarted, so I did > look for alternatives, and the JSSE guide explains an approach to this > in the section "Creating Your Own X509TrustManager". > > My question is: Does anybody in this list have some experience solving > this problem?, providing tomcat a custom trust manager to dynamically > add a client certificate to the verification path when client > credentials are presented? > > Can self-enrollment be done using Tomcat and JSSE? maybe it can't be > done I am just wasting my time ;) I have searched a lot in the last 3 > days, tomcat list archives and other materials, I have not found a > single solution to this problem, except for the JSSE guide and this > article, that explains how to create a trustManager and a SSLContext > for implementing S/MIME with > JavaMail: > > * http://www.javaworld.com/javatips/jw-javatip115.html > > Thanks a lot for any feedback you can provide. > > Regards, > Martin > > --------------------------------------------------------------------- > To start a new topic, e-mail: [email protected] To unsubscribe, > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To start a new topic, e-mail: [email protected] To unsubscribe, > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: [email protected] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
