Fred,
Thanks. I'm confident in the URLs --> the http version works
fine: so the machine is OK. And I can browse the server on the 8443
port (including the java AXIS wsdl. Plus it works ) I just wanted
some confidence that this cert whackiness is really what was going
on... I'll now send out the openssl stuff. I know this isn't an
openssl group, but you have to do something like this to use SSL with
AXIS-C, so if anyone can share what they're doing or critique what I'm
doing.
(The following is based upon the process described at:
http://www.churchillobjects.com/c/11201g.html)
<code>
#!/usr/bin/csh
rm -rf mkcerts
#set path = ( /usr/local/ssl/bin $path )
#set path = /usr/local/ssl/bin:$path
#setenv PATH = /usr/local/ssl/bin:$PATH
set path = ( /usr/local/ssl/bin $path )
#set path = /usr/local/ssl/bin:$path
echo $PATH
mkdir mkcerts
cd mkcerts
mkdir demoCA
cd demoCA
mkdir certs
mkdir crl
mkdir newcerts
mkdir private
touch index.txt
echo "01" > serial
cd ..
#generate the Certificate Authorities Key
openssl genrsa -out ca.key 1024
#generate create certificate with Key
openssl req -new -x509 -key ca.key -out demoCA/cacert.pem<<H_MK_CERT
US
COLORADO
AURORA
myorg
CertGroup
JASON MUSGRAVE
[EMAIL PROTECTED]
H_MK_CERT
#make client key
keytool -genkey -alias clientapp -keystore newcerts<<H_CLIENT_KEYSTORE
changeit
clientStuff
mysuborg
myorg
AURORA
COLORADO
US
yes
H_CLIENT_KEYSTORE
#make server key
keytool -genkey -alias serverapp -keystore newcerts<<H_SERVER_KEYSTORE
changeit
testmachine
mysuborg
myorg
AURORA
COLORADO
US
yes
H_SERVER_KEYSTORE
#Export the client key
keytool -keystore newcerts -certreq -alias clientapp -file
clientapp.crs<<H_EXPORT_CLIENT
changeit
H_EXPORT_CLIENT
#Export the server key
keytool -keystore newcerts -certreq -alias serverapp -file
serverapp.crs<<H_EXPORT_SERVER
changeit
H_EXPORT_SERVER
#sign the client key
openssl ca -in clientapp.crs -out clientapp.pem -keyfile ca.key<<H_SIGN_CLIENT
y
y
H_SIGN_CLIENT
#sign the server key
openssl ca -in serverapp.crs -out serverapp.pem -keyfile ca.key<<H_SIGN_SERVER
y
y
H_SIGN_SERVER
#Convert from PEM to DER
openssl x509 -in clientapp.pem -out clientapp.der -outform DER
openssl x509 -in serverapp.pem -out serverapp.der -outform DER
#import CA Cert & Keys into Keystores
keytool -keystore newcerts -alias systemca -import -file
demoCA/cacert.pem<<H_IM_1
changeit
yes
H_IM_1
#
keytool -keystore newcerts -alias clientapp -import -file clientapp.der<<H_IM_2
changeit
yes
H_IM_2
keytool -keystore newcerts -alias serverapp -import -file serverapp.der<<H_IM_3
changeit
yes
H_IM_3
</code>
Now I have a keystore with client/server certs in it. Then I copy the
newcerts keystore to the tomcat install (which hosts JAVA AXIS) and
use remove keytool to remove client cert from it.
Then I go back and copy cacert into the certs directory and hash it.
Since, I think this is how to make it a trusted cert.
<code>
cp cacert.pem certs
cd certs
ln -s cacert.pem `openssl x509 -noout -hash -in cacert.pem`.0
</code>
Any help would be appreciated,
Jason
