Betr.: Re: Betr.: Re: X509 certificates and https
Sorry, I'm not familiar with this environment. Which CA certificate your server certificate is signed with? Give me some important attributes. Perhaps I can send you this certificate as an attachment. Julie McCabe <[EMAIL PROTECTED]> 27-05-2004 16:47 Antwoord a.u.b. aan "Tomcat Users List" Aan:"Tomcat Users List" <[EMAIL PROTECTED]> cc: Onderwerp: Re: Betr.: Re: X509 certificates and https Hello, I should have included this in my original mail but I am using Mozilla 1.4.1 on RedHat Linuz 9.0 - any ideas? Julie. On Thursday 27 May 2004 15:47, [EMAIL PROTECTED] wrote: > If you use Internet Explorer you simple go to the Trusted Certificate > Authorties, select the CA certificate and export it to some format. > You should then be able to import it into your trusted keystore. > > Ron > > > > > > Julie McCabe <[EMAIL PROTECTED]> > 27-05-2004 16:21 > Antwoord a.u.b. aan "Tomcat Users List" > > > Aan:"Tomcat Users List" <[EMAIL PROTECTED]> > cc: > Onderwerp: Re: X509 certificates and https > > > Hi, > > I tried the following command > > keytool -import -alias tomcat -keystore server.ks -trustcacerts -file > server.crt > > with my certificate and key which are in pem format and it returned > keytool error: java.lang.Exception: Input not an X.509 certificate > > > I have the CA certifcate stored in my browser but cant see how I can > export > it? > > Thanks > Julie. > > On Thursday 27 May 2004 15:24, [EMAIL PROTECTED] wrote: > > The only thing you have to do is running the java keytool utily with > > following command: > > > > keytool -import -alias tomcat -keystore server.ks -trustcacerts -file > > server.crt > > > > This inserts thet server.crt certificate into the keystore that tomcat > > uses. > > > > Your CA scertificate needs to be in the trusted keystore of your JRE > > under > > > which Tomcat runs. > > If this is not the case put it in there as follows: > > > > keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file ca.pem > > -alias my_alias > > > > This inserts the root certificate ca.pem into the trusted keystore of > > the > > > JRE being used. > > > > This should work. > > > > Ron Blom > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Betr.: Re: X509 certificates and https
If you use Internet Explorer you simple go to the Trusted Certificate Authorties, select the CA certificate and export it to some format. You should then be able to import it into your trusted keystore. Ron Julie McCabe <[EMAIL PROTECTED]> 27-05-2004 16:21 Antwoord a.u.b. aan "Tomcat Users List" Aan:"Tomcat Users List" <[EMAIL PROTECTED]> cc: Onderwerp: Re: X509 certificates and https Hi, I tried the following command keytool -import -alias tomcat -keystore server.ks -trustcacerts -file server.crt with my certificate and key which are in pem format and it returned keytool error: java.lang.Exception: Input not an X.509 certificate I have the CA certifcate stored in my browser but cant see how I can export it? Thanks Julie. On Thursday 27 May 2004 15:24, [EMAIL PROTECTED] wrote: > The only thing you have to do is running the java keytool utily with > following command: > > keytool -import -alias tomcat -keystore server.ks -trustcacerts -file > server.crt > > This inserts thet server.crt certificate into the keystore that tomcat > uses. > > Your CA scertificate needs to be in the trusted keystore of your JRE under > which Tomcat runs. > If this is not the case put it in there as follows: > > keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file ca.pem > -alias my_alias > > This inserts the root certificate ca.pem into the trusted keystore of the > JRE being used. > > This should work. > > Ron Blom - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: X509 certificates and https
The only thing you have to do is running the java keytool utily with following command: keytool -import -alias tomcat -keystore server.ks -trustcacerts -file server.crt This inserts thet server.crt certificate into the keystore that tomcat uses. Your CA scertificate needs to be in the trusted keystore of your JRE under which Tomcat runs. If this is not the case put it in there as follows: keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file ca.pem -alias my_alias This inserts the root certificate ca.pem into the trusted keystore of the JRE being used. This should work. Ron Blom
Betr.: X509 certificates and https
The only thing you have to do is running the java keytool utily with following command: keytool -import -alias tomcat -keystore server.ks -trustcacerts -file server.crt This inserts thet server.crt certificate into the keystore that tomcat uses. Ron Blom Julie McCabe <[EMAIL PROTECTED]> 27-05-2004 15:28 Antwoord a.u.b. aan "Tomcat Users List" Aan:"Tomcat Users List" <[EMAIL PROTECTED]> cc: Onderwerp: X509 certificates and https Hello, I am trying to use SSL authenitcation with X509 certificates. The certifcates are not in the Java keystore. I would like to know how to get my certificate whichi is signed by a specific CA into the keystore and use the https connector. I have found some documentation on the web but have had little success with getting my certificates into the keystore and SSL Connector configuration. I know my certificates are valid, maybe I am missing something with regards to the CA which signed the certifcate. I am using tomcat 4.1.27, Red Hat Linix 9.0. Thanks, Julie. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Betr.: How to know http port and https port on tomcat
Just <% request.getSchem() %> Ron Blom "Mariano" <[EMAIL PROTECTED]> 27-05-2004 14:49 Antwoord a.u.b. aan "Tomcat Users List" Aan:"'Tomcat Users List'" <[EMAIL PROTECTED]> cc: Onderwerp: How to know http port and https port on tomcat Hi all, can i know which port is using tomcat in http and https in jsp page or servlet? This values are sets in server.xml file in coyote connector port, for example: Thanks Mariano López - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client-certificate issues
Hi, I want to use client-certificate authentication in our webapplication. There are two things that I really don't understand: First: Why is it necessary to set clientAuth = true in the Factory-tag when configuring a Connector for SSL in server.xml, when only a certain part of the application should be protected for unauthorized access. It seems to me that this flag only should indicate whether mutual authentication (server and client authentication) should occur during the SSL-handshake or not. Consider the situation that I set this flag to false and setting a security role constraint for a certain servlet whith authentication method CLIENT-CERT. I would then expect that Tomcat asks the webbrowser to present the client certificate (and bind it as a attribute to the request object) the moment I try to to connect to this protected servlet. Instead I get the error No certificate chain found in this request. The only possible moment to authenticate a user is during the mutual authentication (i.e. setting the clientAuth flag to yes) when the user is connected to the application for the first time . I think this not conforms to any of Sun's servlet specifications. Is this really a restriction to Tomcat or not? Second: When I set a security role constraint for a servlet with CLIENT-CERT as a authentication method, Tomcat forces me to put a CONFIDENTIAL transport garantee constraint for this servlet in web.xml. Although I understand that for the client certificate authentication process a SSL connection is used, I don't understand why the access to the servlet itself also must occur over a SSL-connection. I only want the CLIENT-CERT as a secure authenticating mechanism, but I do'nt always want a confidential transport (which puts a heavy load on the overall performance of my webapplication). Is this also a restriction to Tomcat? If not, what should I do to accomplish this? Thanks in advance, Ron Blom
