Have a look at my doco it might help you: http://jack.godau.googlepages.com/jbosscertificatesandopenssl
Cheers Jack... On 15/06/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Hi, I am setting up a client authentication for Tomcat. I followed the following procedure but failed browsers. It says the issuer not found. Also I found another complete instruction which says 2 files are needed to import into browser's machine. I am trying to name the CN and the OU to match the domain name of the server. If some one know more than on this procedure. Please poste it and we should recommend Tomcat to make it into its documenation. Also I have question about the client authentication. If I go to CAcert.org, and register it. Then I can click client Authentication, and they can give me a certificate for the browser. How can we use that? Is that easier? I tried to import it into Tomcat's key store, it failed. ============================================ 1 - Setting up the CA - Create /home/lams/openssl to hold the CA keys, server keys and (as we want to use SSL client authentication) the client keys. - Create a private key and certificate request for our CA: #openssl req -new -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key openssl req -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key - Create a CA's self-signed certificate: #openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem - Import the CA certificate into the JDK certificate authorities keystore: $JAVA_HOME/bin/keytool -import -keystore £JAVA_JOME/lib/security/cacerts -file ca.pem -alias itcilo_ca - Create a file to hold the CA's serial numbers. This file starts with the number "2": echo "02" > ca.srl #for Windows, echo 02 > ca.srl 2 - Setting the web server - Create /etc/tomcat to contain both the keystore and the truststore files (Truststore is a keystore in which reside all the certificates with which a user can authenticate hisself on the server). - Create a keystore for the tomcat server. $JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize 1024 -keystore /etc/tomcat/server-keystore2.jks -storetype JKS - Create a certificate request for the web server. $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test -file map-test.csr -keystore /etc/tomcat/server-keystore2.jks You need to edit the certificate request file slightly. Open it up in a text editor and amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" - Have your CA sign your certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in map-test.csr -out map-test.crt -days 365 - Import your CA certificate into your server keystore: This step is necessary because we want to use SSL client authentication. $JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem - Import the signed server certificate into the server keystore: $JAVA_HOME/bin/keytool -import -alias map-test -keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt You should see a message "Certificate reply was installed in keystore". 3 - Setting up the ssl client - Create a client certificate request: #openssl req -new -newkey rsa:512 -nodes -out santiago.req -keyout santiago.key openssl req -newkey rsa:512 -nodes -out santiago.req -keyout santiago - Have the CA sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in santiago.req -out santiago.pem -days 365 - Import the CA certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias itcilo_ca -keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem - Import the client certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias santiago -keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem - Generate a PKCS12 file containing the client key and certificate: openssl pkcs12 -export -clcerts -in santigao.pem -inkey santiago.key -out santiago.p12 -name "virgilio_certificate" - Import the PKCS12 file into the web browser to use as the client certificate and key (tools - internet options - contents - certificates, verify by clicking in "advanced" that "client authentication" is checked) 4 - Configure tomcat for ssl The following lines must be added to server.xml. The clientAuth parameter must be set to true as we want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="/etc/tomcat/sever-keystore.jks" keystorePass="password" truststoreFile="/etc/tomcat/truststore-itcilo.jks" truststorePass="password" /> Regards, Gaël ================================================================ Hi all I sorted it out. Thanks for you help. These are the steps I followed. Hope it helps someone. 1) perl CA.pl -newca (create a new CA) 2) perl CA.pl -newreq (new client request) 3) perl CA.pl -sign (sign the certificare request) 4) openssl rsa < newreq.pem > client_key.pem (extract the RSA key) 5) mv newreq.pem client_req.pem (renaming for your identification) 6) mv newcert.pem client_cert.pem (renaming for your identification) 7) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 (generate a pkcs12 certificate) 8) keytool -genkey -alias tomcat -keyalg RSA (generate your keystore) 9) keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr (generate a request for tomcat) 10) openssl x509 -req -CA democa/cacert.pem -CAkey democa/private/cakey.pem -extensions v3_ca -in tomcat.csr -inform DER - out tomcat.x509 -CAcreateserial (signs the tomcat certificate request with your CA) 11) keytool -import -alias MyRootCA -keystore JAVA_HOME/jre/lib/security/cacerts -file democa/cacert.pem (import CA selfsigned into the truststore) 12) keytool -import -alias tomcat -file tomcat.x509 Import both the democa/cacert.pem and client.p12 to the clients machine. In your server.xml file enable client authentication by changing clientauth="true" and that's it. Regards & Thanks ================ Mahesh S Kudva
-- Cheers Jack... The claim "natural" is not synonymous with safe. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
