Re: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-03 Thread Henrik Schultz


Hi Peter,

Thanks for your reply. We can all use a day off now and then :-)

In the meantime I have cracked the nut...! Yes, really!! Last night I
succeeded in sending a self-generated certificate from IE to Tomcat that
was verified and accepted and let me in on the site. I still have to sort
out the exact chain of events that led to this discovery, and will mail
them to you and the list once I've got them in correct order. Here are some
hints though:

In retrospect, I did make some mistakes along the way, such as installing
my private self-issued certificate in the IE keystore WITHOUT the private
key. In other words, I installed the certificate by converting it into DER
format, and then importing it into IE. Wrong!
What you MUST do is to combine both the certificate AND the private key
into a PKCS#12 format (using "openssl pkcs12"), and then install that in
IE. Once I did that it worked. This was apparently the reason for the SSL
handshake failure that we both have seen. You should verify if this solves
your problem too.

NB. To install other peoples certificates, as well as CA and server
certificates, one should still only install the certificate in DER format,
WITHOUT the key. Particularly for your own CA certificate ;-)

However other things I did prior to that may have attributed to the process
too, this is what I need to sort out. One thing I found was that IE does
not like keys longer than 1024 bits. I experimented with 512 bit keys right
before I succeeded, so that may have left some files in a different order.

Of other noteworthy observations: you MUST use your own CA certificate to
sign EVERYTHING (server + clients), AND the CA certificate should be
installed in the Tomcat JKS keystore (used for client cert validation), AND
the CA cert should also be in the trusted CA's file under JRE (used for
client cert selection in IE).

A tricky part is to create a "keyEntry" certificate in the JKS keystore for
Tomcat; if you just create your own key + cert and install that in the
keystore using keytool, it will show up as a "trustedCertEntry", because
the private key is not imported. So, you actually start out by creating the
JKS certificate following the guidelines for keytool, then you create a
CERTREQ using keytool, and then you sign that request using your own CA
cert. Finally you import the signed cert back into the keystore (this is
the only time keytool allows you to import a certificate which already
exists in the keystore!), and voila! you have a self-CA-signed cert for
Tomcat.
(If you know of ways to import a private key for en existing certificate in
a JKS please let me know.)

Hope these intial comments helps. Otherwise stay tuned for the HOW-TO :-)

Regards -

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]



   

   

"Peter Werno"  To: "Henrik Schultz" 
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]cc: 
        
                m>     Subject:  Re: Tomcat 4 - OpenSSL - IE 
client certificate works partially
   

02-07-2002 

20:30  

   

   

   




Hello Henrik,

sorry for not getting back to you, I had a day off :-)

I will try to change the Server-Certificate to a "real" (ca-issued)
certificate tomorrow and let you know if it works. I have previously
used Apache as the webserver and mod_webapp to publish my
Web-Applications through to the user.
This has always worked fine, however, I have never tried with anything
else than a "real" cert in this configuration.

If you would like to try Apache, I can recommend the mod_ssl -
documentation, it is very detaile

RE: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-02 Thread Henrik Schultz


You could also use a temporary Verisign certificate to test with, which is
what I have done so far.

No, I did not try Netscape myself due to a proxy issue, but someone else on
th list did that, and that came up with a strange error:
"unknown SSL Error -12227"
Have still no clue what this is. At least NS is saying something, contrary
to IE that just gives me that bloody "Page cannot be displayed".

When I've gotten it all to work I'll write up a HOW-TO. Promise. Enough
people have been struggling with this now for way too long.

Regards -

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]


   

   

"Adam Greene"  To: "Tomcat Users List" 
<[EMAIL PROTECTED]>    
                     Subject:  RE: Tomcat 4 - OpenSSL - IE 
client certificate works partially
   

02-07-2002 

10:18  

Please respond 

to "Tomcat 

Users List"

   

   

   




I would absolutely love a HOW-TO.  I have a project that is going to
require
certs for security.  I will ultimately have to use a Verisign or Thawte
cert, but I can certainly test with the homemade ones.  Also, have you
tried
to get Netscape or Mozilla to work??

Adam Greene
ROMulin Group Inc

885 Main St, Suite 16
Moncton, NB
E1C 1G5

Ph: (506) 863-1014 x4
Fx: (506) 854-6886

http://www.romulin.com/

-Original Message-
From: Henrik Schultz [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 11:43 AM
To: tomcat-user
Subject: Tomcat 4 - OpenSSL - IE client certificate works partially


Greetings all...

For those not interested in client certificates at the deep technical
level, this is probably not your favorite cup of tea. Otherwise read on.

Enabling SSL in Tomcat is really no sweat using your own home-made
certificates, thanks to the excellent  HOW-TO. Once you get your root CA
certificate installed in the right places, and a suitable certificate
installed in Tomcat, everything works just fine.

However, creating client certificates that works with IE has (at least for
me) shown to be a real pain. I've experimented for months, and tried
numerous postings on this list, but noone seemed to know the finer details.
It was only recently I had a breakthrough, in that a trial certificate from
Verisign allowed me to compare that and a home-made one, and find the bits
that makes the difference, that is, what it takes for it to be shown on the
selection list in IE when the server asks for a client certificate.
Last night I succeeded. The right combination of keytool and openssl
maneuvres to setup a private CA, finally generated a certificate that
installed without a hitch in IE, and came up when I subsequently connected
to my SSL enabled Tomcat. So far so good.

However there is still one major obstacle ... the server aborts the
connection right away :-

IE tells me:

"The page cannot be displayed
The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings."

In other words, the usual message that indicates that the server screwed
up, and closed the connection.

Interestingly enough the Verisign certificate works just fine. So there is
apparently still a difference to Tomcat.
Have tried to connect using openssl s_client - works A-OK, also with my
home-made certificate.
Have looked in the tomcat logs to no ava

RE: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-02 Thread Adam Greene

I would absolutely love a HOW-TO.  I have a project that is going to require
certs for security.  I will ultimately have to use a Verisign or Thawte
cert, but I can certainly test with the homemade ones.  Also, have you tried
to get Netscape or Mozilla to work??

Adam Greene
ROMulin Group Inc

885 Main St, Suite 16
Moncton, NB
E1C 1G5

Ph: (506) 863-1014 x4
Fx: (506) 854-6886

http://www.romulin.com/

-Original Message-
From: Henrik Schultz [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 11:43 AM
To: tomcat-user
Subject: Tomcat 4 - OpenSSL - IE client certificate works partially


Greetings all...

For those not interested in client certificates at the deep technical
level, this is probably not your favorite cup of tea. Otherwise read on.

Enabling SSL in Tomcat is really no sweat using your own home-made
certificates, thanks to the excellent  HOW-TO. Once you get your root CA
certificate installed in the right places, and a suitable certificate
installed in Tomcat, everything works just fine.

However, creating client certificates that works with IE has (at least for
me) shown to be a real pain. I've experimented for months, and tried
numerous postings on this list, but noone seemed to know the finer details.
It was only recently I had a breakthrough, in that a trial certificate from
Verisign allowed me to compare that and a home-made one, and find the bits
that makes the difference, that is, what it takes for it to be shown on the
selection list in IE when the server asks for a client certificate.
Last night I succeeded. The right combination of keytool and openssl
maneuvres to setup a private CA, finally generated a certificate that
installed without a hitch in IE, and came up when I subsequently connected
to my SSL enabled Tomcat. So far so good.

However there is still one major obstacle ... the server aborts the
connection right away :-

IE tells me:

"The page cannot be displayed
The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings."

In other words, the usual message that indicates that the server screwed
up, and closed the connection.

Interestingly enough the Verisign certificate works just fine. So there is
apparently still a difference to Tomcat.
Have tried to connect using openssl s_client - works A-OK, also with my
home-made certificate.
Have looked in the tomcat logs to no avail. There is no trace anywhere why
the connection breaks.

So the question to the list is: how would I go by diagnosing this? I
believe that the problem must be related to the SSL container (?) that
responds to the traffic on port 443, and does all the SSL handshaking,
because my application never sees anything.
Just like in Apache there's an error log for all the pages that fail -
isn't there such a log in Tomcat?

Thanks for any input or advice you might have!

PS. If anyone is interested in a writeup or HOW-TO of making client
certificates for Tomcat, let me know. This is certainly tricky stuff!

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]


--
To unsubscribe, e-mail:

For additional commands, e-mail:



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 




RE: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-02 Thread Adam Greene

I don't know if this applies to Apache Tomcat, but Apache Web Server does
not like IE certs.  There was an article in Eweek that talked about how
Apache follows the standard, and Microsoft (as usual) "innovated" in regards
to SSL, TLS, etc.  So that Internet Explorer does work quite right with
Apache Web Server.  This might be what you are seeing.  Verisign must have
"broken" their certs to work with both IIS and Apache.

Adam Greene
ROMulin Group Inc

885 Main St, Suite 16
Moncton, NB
E1C 1G5

Ph: (506) 863-1014 x4
Fx: (506) 854-6886

http://www.romulin.com/

-Original Message-
From: Henrik Schultz [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 01, 2002 11:43 AM
To: tomcat-user
Subject: Tomcat 4 - OpenSSL - IE client certificate works partially


Greetings all...

For those not interested in client certificates at the deep technical
level, this is probably not your favorite cup of tea. Otherwise read on.

Enabling SSL in Tomcat is really no sweat using your own home-made
certificates, thanks to the excellent  HOW-TO. Once you get your root CA
certificate installed in the right places, and a suitable certificate
installed in Tomcat, everything works just fine.

However, creating client certificates that works with IE has (at least for
me) shown to be a real pain. I've experimented for months, and tried
numerous postings on this list, but noone seemed to know the finer details.
It was only recently I had a breakthrough, in that a trial certificate from
Verisign allowed me to compare that and a home-made one, and find the bits
that makes the difference, that is, what it takes for it to be shown on the
selection list in IE when the server asks for a client certificate.
Last night I succeeded. The right combination of keytool and openssl
maneuvres to setup a private CA, finally generated a certificate that
installed without a hitch in IE, and came up when I subsequently connected
to my SSL enabled Tomcat. So far so good.

However there is still one major obstacle ... the server aborts the
connection right away :-

IE tells me:

"The page cannot be displayed
The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings."

In other words, the usual message that indicates that the server screwed
up, and closed the connection.

Interestingly enough the Verisign certificate works just fine. So there is
apparently still a difference to Tomcat.
Have tried to connect using openssl s_client - works A-OK, also with my
home-made certificate.
Have looked in the tomcat logs to no avail. There is no trace anywhere why
the connection breaks.

So the question to the list is: how would I go by diagnosing this? I
believe that the problem must be related to the SSL container (?) that
responds to the traffic on port 443, and does all the SSL handshaking,
because my application never sees anything.
Just like in Apache there's an error log for all the pages that fail -
isn't there such a log in Tomcat?

Thanks for any input or advice you might have!

PS. If anyone is interested in a writeup or HOW-TO of making client
certificates for Tomcat, let me know. This is certainly tricky stuff!

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]


--
To unsubscribe, e-mail:

For additional commands, e-mail:



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 




Re: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-02 Thread Henrik Schultz

Peter wrote:

>this pretty much sounds like the same problem I was experiencing and
>posted earlier today. Sadly, your link below only gives hints on how
>to intall a SERVER certificate, but not on how to configure everything
>to ask for a CLIENT cert.

This is what I found too. However, the ImportKey program sounds like
a nifty little thing that could come in handy. Thanks for the link
Schwarz!

The few other responses I got to my first posting were along the same
lines, so for the sake of making sure everybody understands this
correctly, let me reiterate:

This is about CLIENT certificates.
Apparently Tomcat gives up mysteriously when receiving a home-made
certificate (perhaps the thread dies or something), but in any case
the connection is quietly closed with no trace or log messages
to be found anywhere.

>I have exactly the same problem where the
>initial handshake with the exchange of the SERVER cert is just fine,
>but then the connection breaks leaving you with absolutely NO
>LOG-entry as to why it broke 

Ok, so I'm not the only having this problem, that's assuring... somehow ;-)

>So far, I was only able to get an error-message out of Netscape (6.x)
>saying "unknown SSL Error -12227"

I tried to use NS too to find out more, but I had some problems with the
firewall I'm behind to get to my server, so I never got to it.
Unknown SSL error ... Hmm!

>Would it make sense to post this on the tomcat-development-list?

I think so. Regardless of why our own certificates does not work, it
is highly problematic that there are no trace of what goes wrong
anywhere.
Do you have experience in this, or do you have the FAQ handy?
I've never tried this myself, but one time has to be the first
I guess :-)

Regards -

Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 




Re: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-01 Thread Ismael Blesa Part

The problem with homemade digital certificates generated with the 
Keytool is that they are self signed, then IExplorer and other browsers 
does
not trust them and does not let you use it for user authentication. 
However if you make your own CA using openssl and you generates server and
client certificates you will see that it works. You have only to add 
your new CA on the trusted group for IExplorer (similar with other 
browsers).

When you make a connection to a secure server, it returns data about in 
which  CAs it will accepct (which CA, means which client digital 
certificates
signed with the given CAs)

You can also use Thawte test certificates (client & server) but it is 
the same if you use openssl as I describe above.

Please, send me your howto and I will take a look :)

By the way If you use Apache as frontend your setup will work better and 
faster and you will be able to make load balance ;)

Henrik Schultz wrote:

>Greetings all...
>
>For those not interested in client certificates at the deep technical
>level, this is probably not your favorite cup of tea. Otherwise read on.
>
>Enabling SSL in Tomcat is really no sweat using your own home-made
>certificates, thanks to the excellent  HOW-TO. Once you get your root CA
>certificate installed in the right places, and a suitable certificate
>installed in Tomcat, everything works just fine.
>
>However, creating client certificates that works with IE has (at least for
>me) shown to be a real pain. I've experimented for months, and tried
>numerous postings on this list, but noone seemed to know the finer details.
>It was only recently I had a breakthrough, in that a trial certificate from
>Verisign allowed me to compare that and a home-made one, and find the bits
>that makes the difference, that is, what it takes for it to be shown on the
>selection list in IE when the server asks for a client certificate.
>Last night I succeeded. The right combination of keytool and openssl
>maneuvres to setup a private CA, finally generated a certificate that
>installed without a hitch in IE, and came up when I subsequently connected
>to my SSL enabled Tomcat. So far so good.
>
>However there is still one major obstacle ... the server aborts the
>connection right away :-
>
>IE tells me:
>
>"The page cannot be displayed
>The page you are looking for is currently unavailable.
>The Web site might be experiencing technical difficulties,
>or you may need to adjust your browser settings."
>
>In other words, the usual message that indicates that the server screwed
>up, and closed the connection.
>
>Interestingly enough the Verisign certificate works just fine. So there is
>apparently still a difference to Tomcat.
>Have tried to connect using openssl s_client - works A-OK, also with my
>home-made certificate.
>Have looked in the tomcat logs to no avail. There is no trace anywhere why
>the connection breaks.
>
>So the question to the list is: how would I go by diagnosing this? I
>believe that the problem must be related to the SSL container (?) that
>responds to the traffic on port 443, and does all the SSL handshaking,
>because my application never sees anything.
>Just like in Apache there's an error log for all the pages that fail -
>isn't there such a log in Tomcat?
>
>Thanks for any input or advice you might have!
>
>PS. If anyone is interested in a writeup or HOW-TO of making client
>certificates for Tomcat, let me know. This is certainly tricky stuff!
>
>Henrik Schultz
>Senior Systems Architect
>Consultant to Maersk Data AS
>Tel.: +45 39 10 21 13
>Mobile: +45 22 12 24 29
>E-mail: [EMAIL PROTECTED]
>
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 
>
>
>  
>




--
To unsubscribe, e-mail:   
For additional commands, e-mail: 




Re: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-01 Thread Dmitry ...


 I'd be interested too...
  Marcelo Demestri <[EMAIL PROTECTED]> wrote: Hi Henrik !!!
I'm interested in your "HOW-TO" for making client certificates for
Tomcat...
and don't worry, i love the tricky stuff !!! :-)
Thanks...


Marcelo

- Original Message -
From: "Henrik Schultz" 
To: "tomcat-user" 
Sent: Monday, July 01, 2002 7:42 AM
Subject: Tomcat 4 - OpenSSL - IE client certificate works partially


>
> Greetings all...
>
> PS. If anyone is interested in a writeup or HOW-TO of making client
> certificates for Tomcat, let me know. This is certainly tricky stuff!


--
To unsubscribe, e-mail: 
For additional commands, e-mail: 



-
Do You Yahoo!?
Sign-up for Video Highlights of 2002 FIFA World Cup


Re: Tomcat 4 - OpenSSL - IE client certificate works partially

2002-07-01 Thread Marcelo Demestri

Hi Henrik !!!
I'm interested in your "HOW-TO" for making client certificates for
Tomcat...
and don't worry, i love the tricky stuff !!! :-)
Thanks...


Marcelo

- Original Message -
From: "Henrik Schultz" <[EMAIL PROTECTED]>
To: "tomcat-user" 
Sent: Monday, July 01, 2002 7:42 AM
Subject: Tomcat 4 - OpenSSL - IE client certificate works partially


>
> Greetings all...
>
> PS. If anyone is interested in a writeup or HOW-TO of making client
> certificates for Tomcat, let me know. This is certainly tricky stuff!


--
To unsubscribe, e-mail:   
For additional commands, e-mail: