-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
I've never used client SSL certificates, but they seem ideal for a
newly-requested feature for our software, and I'd like to run the idea
past you folks as a smoke test. I realize a lot of this is off-topic,
but the documentation for these things is a bit disjointed because of
all the moving parts.
Basically, I'd like to relax authentication requirements for my users
when a valid client SSL cert is presented. I don't want to use the cert
itself for authentication (for two reasons: first, I'm not using
Tomcat's container-managed authentication, and second, I want to use
other factors besides the client cert)... I just want to be able to get
my hands on the certificate itself in order to grab some information,
including its validity.
My setup is:
Sun JDK 1.5.0_13
Tomcat 5.5.26
Apache httpd 2.2.3 (hey, it's what Debian provides)
mod_jk 1.2.26
I currently have an EV SSL cert for my own domain name purely for
encryption of the HTTP connection.
Since I have SSL termination occurring at the httpd level, I suppose
that means that I need to configure Apache httpd to request, accept, and
validate the client certificate. My understanding is that I'll have to
sign the client's SSL certificate with my own CA, which I'll have to
create for these purposes. No problem: I'll create my own CA which will
only be used for signing client SSL certs for this purpose. So, above
and beyond my existing SSL configuration for Apache httpd, it looks like
I'll need the following:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLCACertificateFile conf/my-client-cert-ca.crt
That appears to be it. My expectation here is that, if the client
provides a client cert, httpd will verify it and kill the connection if
the certificate is not valid. Cert-less clients will be allowed to
connect. Is this accurate?
Next, I need my mod_jk/Tomcat configuration updated so that I can get
the certificate forwarded via AJP:
# not sure if this is required, since validation of the client
# cert has already occurred.
JkOptions +ForwardSSLCertChain
Finally, in my code:
X509Certificate clientCert =
(X509Certificate)req.getAttribute("javax.servlet.request.X509Certificate");
Now, I can check the validity if I really want to by calling
clientCert.checkValidity(). In order to do this, I have to have my own
client-cert-CA's cert in my own keystore, right? Do I need anything
else? Does it sound like a good idea to double-check the signing
authority to make sure it's actually ME instead of either a) relying on
httpd to do this or b) potentially allowing a client cert signed by,
say, VeriSign to come in since VeriSign is a widely-trusted CA?
Finally, How can I identify the CN of the client at this point? I don't
see any methods in the X509Certificate class that give me the CN data...
only getSubjectDN... is that the same thing?
Thanks everyone,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrgf1oACgkQ9CaO5/Lv0PDuIACgl160XrGP/KSbK7TZorzpllrg
JowAoMDONAkp4Nu2jCgDWG7+roj3JeJV
=BzkO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
