Re: Client Certificates Authentication in Tomcat v4.1.24
Hi Bill Everyone else, For JSSE, you need to have the signer in cacerts at the moment for Tomcat to include it in the list of signers it wants. PureTLS allows you to configure the list (without being root), but other problems mean that you can only use it in TC 5 HEAD at the moment. Of course, the Tomcat support for CLIENT-CERT is pretty minimal at the moment. Only the (deprecated) MemoryRealm supports it (unless you write your own Realm). Thanks for the information regarding the cacerts file and JSSE. After checking the configuration, I discovered that I was missing the cacerts file and have installed it into the proper directory under the $JAVA_HOME/lib/security directory hierarchy. Unfortunately, this didn't change anything, as IE is still popping up a blank box for me to select my certificate. Does the CA certificate have to belong to any particular alias for JSSE to work. I have tried installing it as -trustcacerts and a normal import into the alias root and tomcat without any success. You don't need to do anything special to get the root CA into the keystore do you ?, I am simply taking the CA certificate as a .pem along with the key, converting them to .der and then doing an import. Do you happen to have any more ideas as to what is happening here or how I might be able to resolve it ?, I am quite happy to send a copy of the commands I am using off the list so that you can see the process that I am going through. Thanks in advance. Dean Thompson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Certificates Authentication in Tomcat v4.1.24
ERROR: There is no such list CERTIFICATES here. SOLUTION: Send a message to [EMAIL PROTECTED] with a subject of 'info' (no quotes) for a list of available mailing lists. -- Sincerely, the Minimalist - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Client Certificates Authentication in Tomcat v4.1.24
Hi!, I was wondering whether somebody might be able to explain what I am doing wrong with regards to the introduction of client certificates being used as a means for authentication under Tomcat v4.1.24 under Solaris 8, JDK 1.4.1_02. I have established my own little CA using OpenSSL 0.9.7b and have generated my own self-signed certificate as well as signing a certificate for my WWW server. I have imported the WWW certificate into the java keystore with a little import key program by Joachim Karrer Jens Carlberg. So far, everything is fine, I can download the CA certificate to my PC running Internet Explorer 6 and install it as a .p12 file. This allows me to access my WWW site via https without any problems. Problems start to appear when I generate a client certificate. Using the same CA, I generate and sign a certificate for a user. I then convert this certificate to a .p12 file using a command such as the following: openssl pkcs12 -export -in mycert.crt -in mykey.key -out mycert.p12 This can be loaded into the IE certificate manager as a personal certificate. IE will even confirm that the certificate is part of the chain belonging to the CA and that the certificate is trusted. Problems arise when I get tomcat to request a client certificate using the CLIENT-CERT authentication method. When tomcat hits this point it instructs IE to pop up a list of certificates that I can choose from. The problem is that the list is empty, there are no certificates to choose from. According to the reading that I have done, tomcat should send IE the WWW certificate issuer information, and IE should scan its database and present the certificates which came from the issuer. This doesn't happen. Can anyone possibly suggest a reason as to why this behaviour is happening and what the solution is to it? I would be interested to hear from anyone who has actually implemented client authentication with Tomcat, especially the generation of the CA and client certificates. Thanks in advance. Dean Thompson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client Certificates Authentication in Tomcat v4.1.24
For JSSE, you need to have the signer in cacerts at the moment for Tomcat to include it in the list of signers it wants. PureTLS allows you to configure the list (without being root), but other problems mean that you can only use it in TC 5 HEAD at the moment. Of course, the Tomcat support for CLIENT-CERT is pretty minimal at the moment. Only the (deprecated) MemoryRealm supports it (unless you write your own Realm). Dean Thompson [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi!, I was wondering whether somebody might be able to explain what I am doing wrong with regards to the introduction of client certificates being used as a means for authentication under Tomcat v4.1.24 under Solaris 8, JDK 1.4.1_02. I have established my own little CA using OpenSSL 0.9.7b and have generated my own self-signed certificate as well as signing a certificate for my WWW server. I have imported the WWW certificate into the java keystore with a little import key program by Joachim Karrer Jens Carlberg. So far, everything is fine, I can download the CA certificate to my PC running Internet Explorer 6 and install it as a .p12 file. This allows me to access my WWW site via https without any problems. Problems start to appear when I generate a client certificate. Using the same CA, I generate and sign a certificate for a user. I then convert this certificate to a .p12 file using a command such as the following: openssl pkcs12 -export -in mycert.crt -in mykey.key -out mycert.p12 This can be loaded into the IE certificate manager as a personal certificate. IE will even confirm that the certificate is part of the chain belonging to the CA and that the certificate is trusted. Problems arise when I get tomcat to request a client certificate using the CLIENT-CERT authentication method. When tomcat hits this point it instructs IE to pop up a list of certificates that I can choose from. The problem is that the list is empty, there are no certificates to choose from. According to the reading that I have done, tomcat should send IE the WWW certificate issuer information, and IE should scan its database and present the certificates which came from the issuer. This doesn't happen. Can anyone possibly suggest a reason as to why this behaviour is happening and what the solution is to it? I would be interested to hear from anyone who has actually implemented client authentication with Tomcat, especially the generation of the CA and client certificates. Thanks in advance. Dean Thompson - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]