OK, I think there might be something wrong with my certificates. So, I tried to follow the document and create all of the certificates. But I am encountering a problem. Can someone tell me if I am doing the right thing. Here is how I create certificates. (attached is my openssl.cnfand all certificate files)
1. generate root certificate and private key.
# openssl req -x509 -newkey rsa -out cacert.pem -outform PEM
(this will generate root certificate cacert.pem and private key cakey.pem
)
2. generate a certificate request
# openssl req -newkey rsa:1024 -keyout testkey.pem -key form PEM -out
testreq.pem
(this will generate private key testkey.pem and certificate request
testreq.pem)
3. Issue a certificate from a certificate request
# openssl x509 -req -in testreq.pem -sha1 -extfile
/opt/exampleca/openssl.cnf -extensions certificate_extensions -CA cacert.pem
-CAkey cakey.pem -CAcreateserial -out clientcert.pem
(this will generate a certificate clientcert.pem)
4. generate another certificate request
# openssl req -newkey rsa:1024 -keyout testkey2.pem -key form PEM -out
testreq2.pem
(this will generate private key testkey2.pem and certificate request
testreq2.pem)
5. Issue another certificate from a certificate request, testreq2.pem
# openssl x509 -req -in testreq2.pem -sha1 -extfile
/opt/exampleca/openssl.cnf -extensions certificate_extensions -CA cacert.pem
-CAkey cakey.pem -CAcreateserial -out servercert.pem
(this will generate a certificate servercert.pem)
6. import cacert.pem, cakey.pem and clientcert.pem to my client CPE (in
linux)
7. import root certificate, cacert.pem, to Tomcat server in winXP
# keytool -import -alias root -keystore acs.keystore -trustcacerts -file
cacert.pem
8. import certificate, servertcert.pem, to Tomcat server in winXP
# keytool -import -alias tomcat -keystore acs.keystore -trustcacerts
-file servercert.pem
My problem is when I do step 8, an error encountered:
keytool error: java.security.SignatureException: Signature does not
match.
Couldn't I create both certificates for client and server in same linux
machine?
I am confused. Did I do anything wrong? Can anyone help? Thanks in
advance.
HH
On Fri, Mar 28, 2008 at 1:41 AM, jimmy bahuleyan <[EMAIL PROTECTED]>
wrote:
> 陳秀虹 wrote:
> > Thanks for the explanation.
> > I am having problem with "Encrypted Alert".
> > At first I thought it's because the Session ID length 0 is not correct.
> > If this is not the problem, I really can't tell where it went wrong from
> > packets
> > I captured. I searched the web and I think "Encrypted Alert" means that
> > the alert is being encrypted. Is there any way I can decrypted the
> alert
> > message? Can someone give me any hint?
> > Attached is the .cap file. Thanks in advance.
> > Here is what I have.
> >
> > from Client : Client Hello
> > from Server: Server Hello, Certificate, Server Hello Done
> > from Client : Client Key Exchange, Change Cipher Spec,
> > Encrypted Handshake Message
> > from Server: Change Cipher Spec
> > from Server: Encrypted Handshake Message
> > from Server: Encrypted Alert
> >
>
> From your capture file,
>
> - I can see that your server certificate has a few problems (expiry
> date, name, etc.). Well if your client ignores all this and the key is
> good then we may progress.
>
> - Probably the server is failing in the Client_Pre_Master check, so it
> maybe using a random value and then eventually failing when verifying
> the Client Finished message, and sends an alert.
>
> So either the client doesn't send a proper pre-master encrypted with
> server's RSA public key; or you have a problem on the server side. If
> so, you can check the server logs or better if you can debug server
> (then you could check what happens in ssl3_get_client_key_exchange()).
>
> -jb
> --
> Real computer scientists don't comment their code. The identifiers are
> so long they can't afford the disk space.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
openssl.cnf
Description: Binary data
cacert.pem
Description: Binary data
cakey.pem
Description: Binary data
clientcert.pem
Description: Binary data
servercert.pem
Description: Binary data
