in my case, i am testing with clients authenticating to tomcat with dod cac cards. (smartcards)
i downloaded the dod root p7b cert files i checked/verified the root cert for the client cac card certs, matched the dod root certs (in the p7b files) i extracted ONLY the root cert's from each p7b file into x.509 base64_encoded .cer file's then i imported ONLY those dod x509 root certs into tomcat's truststorefile now when a client browses to tomcat, it tries to authenticate with the client-cert (from the cac card) because tomcat has the root for the client cert loaded into its truststore, and the matching client cert "subject" name (ie: user) loaded in its auth realm the client is therefore authenticated i have more to do but that much is working. ________________________________ From: Christopher Schultz <ch...@christopherschultz.net> To: Tomcat Users List <users@tomcat.apache.org> Sent: Mon, April 12, 2010 9:32:32 AM Subject: Re: Installing certificate chain on Tomat -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /U, On 4/10/2010 3:31 PM, /U wrote: > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/users/me/.keystore" keystorePass="changeit" > /> Are you using APR (aka Tomcat native)? > I have received the following keys/certs from CA: > - file1: private key for myhost > - file2: identity certificate for "myhost" signed by "CA1" > - file3: certificate for "CA1" signed by "entrust" > > I installed private key (file1) and "myhost" cert (file2) into > /users/me/.keystore > using the ImportKey utility. > I installed the CA1's certificated into "/users/me/.keystore" using keytool. > My keytool lookslike this: > $ keytool -list -keystore /users/me/.keystore > <...password...> Heh... you mean it's not "changeit"? :) > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 2 entries Shouldn't that be 3 entries? > CA1, Apr 10, 2010, trustedCertEntry, > Certificate fingerprint (MD5): > 2F:B3:00:F2:FA:12:7B:BD:82:95:70:05:99:12:17:DB:BE > tomcat, Apr 10, 2010, PrivateKeyEntry, > Certificate fingerprint (MD5): > CD:D9:06:11:30:CD:C2:60:33:33:68:A2:30:5C:01:50 What about the "entrust" one? > I did not install any certificates into truststore > (jre/lib/security/cacerts). > > When I connect browser to https://myhost, i get a cert error that > "myhost" is signed by "CA1"and cannot be trusted. > Browser show only one cert (for "myhost") and not show the full > cert chain ("myhost" -> "CA1" and "CA1" -> entrust). > Why is the full cert chain not sent to browser. Because you haven't provided the whole certificate chain to Tomcat. Tomcat can only send what it already has. > Since "entrust" CA cert is in browser CA list, if tomcat send full cert > chain > to browser, it would be trusted. Maybe, maybe not. It's possible that the real cert chain goes like this: myhost -> CA1 -> Entrust -> Entrust Global If your browser only knows about the "Entrust Global" cert, then your chain is broken. Did you follow the instructions on Entrust's web site? http://www.entrust.net/knowledge-base/technote.cfm?tn=7559 (for chain certs) http://www.entrust.net/knowledge-base/technote.cfm?tn=7583 (for bare certs, I guess) Perhaps they are the ones to ask about this. You might want to ask why they don't "support" a version of Tomcat after 4.1. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvDIPAACgkQ9CaO5/Lv0PDmAACfce9J55S5uIHkXTiku9l1YQKa FGkAnjPIXGcvn2B2CQlguGbaz0eTmwkU =G6eH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
