OK, I think there might be something wrong with my certificates. So, I tried to follow the document and create all of the certificates. But I am encountering a problem. Can someone tell me if I am doing the right thing. Here is how I create certificates. (attached is my openssl.cnfand all certificate files)
1. generate root certificate and private key. # openssl req -x509 -newkey rsa -out cacert.pem -outform PEM (this will generate root certificate cacert.pem and private key cakey.pem ) 2. generate a certificate request # openssl req -newkey rsa:1024 -keyout testkey.pem -key form PEM -out testreq.pem (this will generate private key testkey.pem and certificate request testreq.pem) 3. Issue a certificate from a certificate request # openssl x509 -req -in testreq.pem -sha1 -extfile /opt/exampleca/openssl.cnf -extensions certificate_extensions -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out clientcert.pem (this will generate a certificate clientcert.pem) 4. generate another certificate request # openssl req -newkey rsa:1024 -keyout testkey2.pem -key form PEM -out testreq2.pem (this will generate private key testkey2.pem and certificate request testreq2.pem) 5. Issue another certificate from a certificate request, testreq2.pem # openssl x509 -req -in testreq2.pem -sha1 -extfile /opt/exampleca/openssl.cnf -extensions certificate_extensions -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out servercert.pem (this will generate a certificate servercert.pem) 6. import cacert.pem, cakey.pem and clientcert.pem to my client CPE (in linux) 7. import root certificate, cacert.pem, to Tomcat server in winXP # keytool -import -alias root -keystore acs.keystore -trustcacerts -file cacert.pem 8. import certificate, servertcert.pem, to Tomcat server in winXP # keytool -import -alias tomcat -keystore acs.keystore -trustcacerts -file servercert.pem My problem is when I do step 8, an error encountered: keytool error: java.security.SignatureException: Signature does not match. Couldn't I create both certificates for client and server in same linux machine? I am confused. Did I do anything wrong? Can anyone help? Thanks in advance. HH On Fri, Mar 28, 2008 at 1:41 AM, jimmy bahuleyan <[EMAIL PROTECTED]> wrote: > 陳秀虹 wrote: > > Thanks for the explanation. > > I am having problem with "Encrypted Alert". > > At first I thought it's because the Session ID length 0 is not correct. > > If this is not the problem, I really can't tell where it went wrong from > > packets > > I captured. I searched the web and I think "Encrypted Alert" means that > > the alert is being encrypted. Is there any way I can decrypted the > alert > > message? Can someone give me any hint? > > Attached is the .cap file. Thanks in advance. > > Here is what I have. > > > > from Client : Client Hello > > from Server: Server Hello, Certificate, Server Hello Done > > from Client : Client Key Exchange, Change Cipher Spec, > > Encrypted Handshake Message > > from Server: Change Cipher Spec > > from Server: Encrypted Handshake Message > > from Server: Encrypted Alert > > > > From your capture file, > > - I can see that your server certificate has a few problems (expiry > date, name, etc.). Well if your client ignores all this and the key is > good then we may progress. > > - Probably the server is failing in the Client_Pre_Master check, so it > maybe using a random value and then eventually failing when verifying > the Client Finished message, and sends an alert. > > So either the client doesn't send a proper pre-master encrypted with > server's RSA public key; or you have a problem on the server side. If > so, you can check the server logs or better if you can debug server > (then you could check what happens in ssl3_get_client_key_exchange()). > > -jb > -- > Real computer scientists don't comment their code. The identifiers are > so long they can't afford the disk space. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
openssl.cnf
Description: Binary data
cacert.pem
Description: Binary data
cakey.pem
Description: Binary data
clientcert.pem
Description: Binary data
servercert.pem
Description: Binary data