Hi, I have followed this procedure twice and all are failed at the browsers. Some one please help to work out a proceducre so that we can set up clientAuth="true" after clientAuth="false" worked. Now, in this procedure, there are 3 aliases, itcilo_ca, map-test and santiago, which I cannot understand. There already has an alias "tomcat" inside the keystore. Should we use it? Thanks! P.S. I have created ,BAT file for each command. I can pack it and ship it to anyone who wants it. I may put them all together and make it as easy as a double-click. Also I can make the bash file on Linux after I get success on this. Frank Peng. ==============================================
1 - Setting up the CA - Create /home/lams/openssl to hold the CA keys, server keys and (as we want to use SSL client authentication) the client keys. - 1)Create a private key and certificate request for our CA: #openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key openssl req -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key - 2)Create a CA's self-signed certificate: #openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem -3) Import the CA certificate into the JDK certificate authorities keystore: $JAVA_HOME/bin/keytool -import -keystore £JAVA_JOME/lib/security/cacerts -file ca.pem -alias itcilo_ca - 4)Create a file to hold the CA's serial numbers. This file starts with the number "2": echo "02" > ca.srl #for Windows, echo 02 > ca.srl 2 - Setting the web server - Create /etc/tomcat to contain both the keystore and the truststore files (Truststore is a keystore in which reside all the certificates with which a user can authenticate hisself on the server). - 5)Create a keystore for the tomcat server. $JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize 1024 -keystore /etc/tomcat/server-keystore2.jks -storetype JKS - 6)Create a certificate request for the web server. $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test -file map-test.csr -keystore /etc/tomcat/server-keystore2.jks You need to edit the certificate request file slightly. Open it up in a text editor and amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" - 7)Have your CA sign your certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in map-test.csr -out map-test.crt -days 365 - 8)Import your CA certificate into your server keystore: This step is necessary because we want to use SSL client authentication. $JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem - 9)Import the signed server certificate into the server keystore: $JAVA_HOME/bin/keytool -import -alias map-test -keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt You should see a message "Certificate reply was installed in keystore". 3 - Setting up the ssl client - 10)Create a client certificate request: #openssl req -new -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key openssl req -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key -11) Have the CA sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in santiago.req -out santiago.pem -days 365 -12) Import the CA certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem - 13)Import the client certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias santiago -keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem - Generate a PKCS12 file containing the client key and certificate: openssl pkcs12 -export -clcerts -in santiago.pem -inkey santiago.key -out santiago.p12 -name "virgilio_certificate" - Import the PKCS12 file into the web browser to use as the client certificate and key (tools - internet options - contents - certificates, verify by clicking in "advanced" that "client authentication" is checked) 4 - Configure tomcat for ssl The following lines must be added to server.xml. The clientAuth parameter must be set to true as we want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/etc/tomcat/sever-keystore.jks" keystorePass="password" truststoreFile="/etc/tomcat/truststore-itcilo.jks" truststorePass="password" /> Regards, Gaël
