Client SSL certificates signed by Windows Certificate Server
I am trying to use Windows Certificate Server to sign my client certificates. First I tried to use a certificate that was generated in IE, but that didn't seem to work (has anyone gotten this to work before?), so now I am trying certificates generated by IBM's keyman program. These are the steps I take: 1. In keyman, generate a key pair in a PKCS#12 file. 2. Create a certificate request based on this key pair 3. In Microsoft Certificate Server's certsrv webpage, select the following options: - "Request a certificate" - "Advanced Request" - "Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file" 4. Paste the certificate request into the window 5. Issue the certificate request on the server 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a pending certificate" and select the saved-request certificate 7. Click on the "Download CA Certification Path" link, and save the certnew.p7b file to disk 8. In keyman, import the .p7b file. This attaches itself to the original key pair. 9. Save the keystore as a .p12 file 10. Import this .p12 file into IE 11. Export the signing certificate from IE into a file called MyCA.cer 12. Import this cer file into Java's cacerts keystore 13. Restart tomcat At this stage everything should work, but it doesn't. I can only get it to work by exporting the new certificate itself into a .cer file and importing that into the cacerts file. For some reason, tomcat doesn't trust Windows Certificate Server's root certificate, or at least doesn't trust any certificates signed by it, even after I have imported it into the cacerts file. Has anyone done this before? Thanks Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
Bill Barker wrote: > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > - Original Message - > > From: "Bill Barker" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, August 11, 2003 2:03 PM > > Subject: Re: Client SSL certificates signed by Windows Certificate Server > > > > > > > > > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > > > news:[EMAIL PROTECTED] > > > > I am trying to use Windows Certificate Server to sign my client > > > > certificates. > > > > > > > > First I tried to use a certificate that was generated in IE, but that > > > didn't > > > > seem to work (has anyone gotten this to work before?), so now I am > > trying > > > > certificates generated by IBM's keyman program. > > > > > > > > These are the steps I take: > > > > > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > > > 2. Create a certificate request based on this key pair > > > > 3. In Microsoft Certificate Server's certsrv webpage, select the > > > following > > > > options: > > > > - "Request a certificate" > > > > - "Advanced Request" > > > > - "Submit a certificate request using a base64 encoded PKCS #10 > file > > > or > > > > a renewal request using a base64 encoded PKCS #7 file" > > > > 4. Paste the certificate request into the window > > > > 5. Issue the certificate request on the server > > > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check > on > > a > > > > pending certificate" and select the saved-request certificate > > > > 7. Click on the "Download CA Certification Path" link, and save the > > > > certnew.p7b file to disk > > > > 8. In keyman, import the .p7b file. This attaches itself to the > > original > > > > key pair. > > > > 9. Save the keystore as a .p12 file > > > > 10. Import this .p12 file into IE > > > > 11. Export the signing certificate from IE into a file called > MyCA.cer > > > > 12. Import this cer file into Java's cacerts keystore > > > > 13. Restart tomcat > > > > > > > > At this stage everything should work, but it doesn't. I can only get > it > > > to > > > > work by exporting the new certificate itself into a .cer file and > > > importing > > > > that into the cacerts file. For some reason, tomcat doesn't trust > > Windows > > > > Certificate Server's root certificate, or at least doesn't trust any > > > > certificates signed by it, even after I have imported it into the > > cacerts > > > > file. > > > > > > > > Has anyone done this before? > > > > > > Yup, it should work as you've described. I don't know anything about > WCS > > > (or care to know :), but does it sign with an intermediate cert? If so, > > > they you'll probably have to import the intermediate cert as well (so > that > > > Tomcat can verify BasicConstraints etc.). > Of course it checks the entire cert chain. It would be a security hole if > it didn't (e.g. anyone could simply issue themselves a cert, and login). > All that should be required is that you have the root cert in cacerts, and > then Tomcat should validate your client-certs (w/o requiring that they be > imported). Sorry to bud into this thread... I use Apache + mod_ssl to talk with OpenSSL with Tomcat behind that. I have signed my own certificate. How do I know Apache is checking the imported certificate ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
- Original Message - From: "Bill Barker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 11, 2003 2:03 PM Subject: Re: Client SSL certificates signed by Windows Certificate Server > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > I am trying to use Windows Certificate Server to sign my client > > certificates. > > > > First I tried to use a certificate that was generated in IE, but that > didn't > > seem to work (has anyone gotten this to work before?), so now I am trying > > certificates generated by IBM's keyman program. > > > > These are the steps I take: > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > 2. Create a certificate request based on this key pair > > 3. In Microsoft Certificate Server's certsrv webpage, select the > following > > options: > > - "Request a certificate" > > - "Advanced Request" > > - "Submit a certificate request using a base64 encoded PKCS #10 file > or > > a renewal request using a base64 encoded PKCS #7 file" > > 4. Paste the certificate request into the window > > 5. Issue the certificate request on the server > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a > > pending certificate" and select the saved-request certificate > > 7. Click on the "Download CA Certification Path" link, and save the > > certnew.p7b file to disk > > 8. In keyman, import the .p7b file. This attaches itself to the original > > key pair. > > 9. Save the keystore as a .p12 file > > 10. Import this .p12 file into IE > > 11. Export the signing certificate from IE into a file called MyCA.cer > > 12. Import this cer file into Java's cacerts keystore > > 13. Restart tomcat > > > > At this stage everything should work, but it doesn't. I can only get it > to > > work by exporting the new certificate itself into a .cer file and > importing > > that into the cacerts file. For some reason, tomcat doesn't trust Windows > > Certificate Server's root certificate, or at least doesn't trust any > > certificates signed by it, even after I have imported it into the cacerts > > file. > > > > Has anyone done this before? > > Yup, it should work as you've described. I don't know anything about WCS > (or care to know :), but does it sign with an intermediate cert? If so, > they you'll probably have to import the intermediate cert as well (so that > Tomcat can verify BasicConstraints etc.). No intermediate certificates. Something else that is unexpected... Even when I import the actual certificate into cacerts, I still have to have the root certificate in there as well. Does tomcat always check the whole certificate chain, even if it doesn't have to? > > > > > Thanks > > Martin > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
"Martin Jericho" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I am trying to use Windows Certificate Server to sign my client > certificates. > > First I tried to use a certificate that was generated in IE, but that didn't > seem to work (has anyone gotten this to work before?), so now I am trying > certificates generated by IBM's keyman program. > > These are the steps I take: > > 1. In keyman, generate a key pair in a PKCS#12 file. > 2. Create a certificate request based on this key pair > 3. In Microsoft Certificate Server's certsrv webpage, select the following > options: > - "Request a certificate" > - "Advanced Request" > - "Submit a certificate request using a base64 encoded PKCS #10 file or > a renewal request using a base64 encoded PKCS #7 file" > 4. Paste the certificate request into the window > 5. Issue the certificate request on the server > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a > pending certificate" and select the saved-request certificate > 7. Click on the "Download CA Certification Path" link, and save the > certnew.p7b file to disk > 8. In keyman, import the .p7b file. This attaches itself to the original > key pair. > 9. Save the keystore as a .p12 file > 10. Import this .p12 file into IE > 11. Export the signing certificate from IE into a file called MyCA.cer > 12. Import this cer file into Java's cacerts keystore > 13. Restart tomcat > > At this stage everything should work, but it doesn't. I can only get it to > work by exporting the new certificate itself into a .cer file and importing > that into the cacerts file. For some reason, tomcat doesn't trust Windows > Certificate Server's root certificate, or at least doesn't trust any > certificates signed by it, even after I have imported it into the cacerts > file. > > Has anyone done this before? Yup, it should work as you've described. I don't know anything about WCS (or care to know :), but does it sign with an intermediate cert? If so, they you'll probably have to import the intermediate cert as well (so that Tomcat can verify BasicConstraints etc.). > > Thanks > Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
"Martin Jericho" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > - Original Message - > From: "Bill Barker" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, August 11, 2003 2:03 PM > Subject: Re: Client SSL certificates signed by Windows Certificate Server > > > > > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > I am trying to use Windows Certificate Server to sign my client > > > certificates. > > > > > > First I tried to use a certificate that was generated in IE, but that > > didn't > > > seem to work (has anyone gotten this to work before?), so now I am > trying > > > certificates generated by IBM's keyman program. > > > > > > These are the steps I take: > > > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > > 2. Create a certificate request based on this key pair > > > 3. In Microsoft Certificate Server's certsrv webpage, select the > > following > > > options: > > > - "Request a certificate" > > > - "Advanced Request" > > > - "Submit a certificate request using a base64 encoded PKCS #10 file > > or > > > a renewal request using a base64 encoded PKCS #7 file" > > > 4. Paste the certificate request into the window > > > 5. Issue the certificate request on the server > > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on > a > > > pending certificate" and select the saved-request certificate > > > 7. Click on the "Download CA Certification Path" link, and save the > > > certnew.p7b file to disk > > > 8. In keyman, import the .p7b file. This attaches itself to the > original > > > key pair. > > > 9. Save the keystore as a .p12 file > > > 10. Import this .p12 file into IE > > > 11. Export the signing certificate from IE into a file called MyCA.cer > > > 12. Import this cer file into Java's cacerts keystore > > > 13. Restart tomcat > > > > > > At this stage everything should work, but it doesn't. I can only get it > > to > > > work by exporting the new certificate itself into a .cer file and > > importing > > > that into the cacerts file. For some reason, tomcat doesn't trust > Windows > > > Certificate Server's root certificate, or at least doesn't trust any > > > certificates signed by it, even after I have imported it into the > cacerts > > > file. > > > > > > Has anyone done this before? > > > > Yup, it should work as you've described. I don't know anything about WCS > > (or care to know :), but does it sign with an intermediate cert? If so, > > they you'll probably have to import the intermediate cert as well (so that > > Tomcat can verify BasicConstraints etc.). > > No intermediate certificates. > Something else that is unexpected... Even when I import the actual > certificate into cacerts, I still have to have the root certificate in there > as well. Does tomcat always check the whole certificate chain, even if it > doesn't have to? Of course it checks the entire cert chain. It would be a security hole if it didn't (e.g. anyone could simply issue themselves a cert, and login). All that should be required is that you have the root cert in cacerts, and then Tomcat should validate your client-certs (w/o requiring that they be imported). > > > > > > > > > Thanks > > > Martin > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]