Re: Client SSL certificates signed by Windows Certificate Server
"Martin Jericho" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > - Original Message - > From: "Bill Barker" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, August 11, 2003 2:03 PM > Subject: Re: Client SSL certificates signed by Windows Certificate Server > > > > > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > I am trying to use Windows Certificate Server to sign my client > > > certificates. > > > > > > First I tried to use a certificate that was generated in IE, but that > > didn't > > > seem to work (has anyone gotten this to work before?), so now I am > trying > > > certificates generated by IBM's keyman program. > > > > > > These are the steps I take: > > > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > > 2. Create a certificate request based on this key pair > > > 3. In Microsoft Certificate Server's certsrv webpage, select the > > following > > > options: > > > - "Request a certificate" > > > - "Advanced Request" > > > - "Submit a certificate request using a base64 encoded PKCS #10 file > > or > > > a renewal request using a base64 encoded PKCS #7 file" > > > 4. Paste the certificate request into the window > > > 5. Issue the certificate request on the server > > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on > a > > > pending certificate" and select the saved-request certificate > > > 7. Click on the "Download CA Certification Path" link, and save the > > > certnew.p7b file to disk > > > 8. In keyman, import the .p7b file. This attaches itself to the > original > > > key pair. > > > 9. Save the keystore as a .p12 file > > > 10. Import this .p12 file into IE > > > 11. Export the signing certificate from IE into a file called MyCA.cer > > > 12. Import this cer file into Java's cacerts keystore > > > 13. Restart tomcat > > > > > > At this stage everything should work, but it doesn't. I can only get it > > to > > > work by exporting the new certificate itself into a .cer file and > > importing > > > that into the cacerts file. For some reason, tomcat doesn't trust > Windows > > > Certificate Server's root certificate, or at least doesn't trust any > > > certificates signed by it, even after I have imported it into the > cacerts > > > file. > > > > > > Has anyone done this before? > > > > Yup, it should work as you've described. I don't know anything about WCS > > (or care to know :), but does it sign with an intermediate cert? If so, > > they you'll probably have to import the intermediate cert as well (so that > > Tomcat can verify BasicConstraints etc.). > > No intermediate certificates. > Something else that is unexpected... Even when I import the actual > certificate into cacerts, I still have to have the root certificate in there > as well. Does tomcat always check the whole certificate chain, even if it > doesn't have to? Of course it checks the entire cert chain. It would be a security hole if it didn't (e.g. anyone could simply issue themselves a cert, and login). All that should be required is that you have the root cert in cacerts, and then Tomcat should validate your client-certs (w/o requiring that they be imported). > > > > > > > > > Thanks > > > Martin > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
"Martin Jericho" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I am trying to use Windows Certificate Server to sign my client > certificates. > > First I tried to use a certificate that was generated in IE, but that didn't > seem to work (has anyone gotten this to work before?), so now I am trying > certificates generated by IBM's keyman program. > > These are the steps I take: > > 1. In keyman, generate a key pair in a PKCS#12 file. > 2. Create a certificate request based on this key pair > 3. In Microsoft Certificate Server's certsrv webpage, select the following > options: > - "Request a certificate" > - "Advanced Request" > - "Submit a certificate request using a base64 encoded PKCS #10 file or > a renewal request using a base64 encoded PKCS #7 file" > 4. Paste the certificate request into the window > 5. Issue the certificate request on the server > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a > pending certificate" and select the saved-request certificate > 7. Click on the "Download CA Certification Path" link, and save the > certnew.p7b file to disk > 8. In keyman, import the .p7b file. This attaches itself to the original > key pair. > 9. Save the keystore as a .p12 file > 10. Import this .p12 file into IE > 11. Export the signing certificate from IE into a file called MyCA.cer > 12. Import this cer file into Java's cacerts keystore > 13. Restart tomcat > > At this stage everything should work, but it doesn't. I can only get it to > work by exporting the new certificate itself into a .cer file and importing > that into the cacerts file. For some reason, tomcat doesn't trust Windows > Certificate Server's root certificate, or at least doesn't trust any > certificates signed by it, even after I have imported it into the cacerts > file. > > Has anyone done this before? Yup, it should work as you've described. I don't know anything about WCS (or care to know :), but does it sign with an intermediate cert? If so, they you'll probably have to import the intermediate cert as well (so that Tomcat can verify BasicConstraints etc.). > > Thanks > Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
- Original Message - From: "Bill Barker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 11, 2003 2:03 PM Subject: Re: Client SSL certificates signed by Windows Certificate Server > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > I am trying to use Windows Certificate Server to sign my client > > certificates. > > > > First I tried to use a certificate that was generated in IE, but that > didn't > > seem to work (has anyone gotten this to work before?), so now I am trying > > certificates generated by IBM's keyman program. > > > > These are the steps I take: > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > 2. Create a certificate request based on this key pair > > 3. In Microsoft Certificate Server's certsrv webpage, select the > following > > options: > > - "Request a certificate" > > - "Advanced Request" > > - "Submit a certificate request using a base64 encoded PKCS #10 file > or > > a renewal request using a base64 encoded PKCS #7 file" > > 4. Paste the certificate request into the window > > 5. Issue the certificate request on the server > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a > > pending certificate" and select the saved-request certificate > > 7. Click on the "Download CA Certification Path" link, and save the > > certnew.p7b file to disk > > 8. In keyman, import the .p7b file. This attaches itself to the original > > key pair. > > 9. Save the keystore as a .p12 file > > 10. Import this .p12 file into IE > > 11. Export the signing certificate from IE into a file called MyCA.cer > > 12. Import this cer file into Java's cacerts keystore > > 13. Restart tomcat > > > > At this stage everything should work, but it doesn't. I can only get it > to > > work by exporting the new certificate itself into a .cer file and > importing > > that into the cacerts file. For some reason, tomcat doesn't trust Windows > > Certificate Server's root certificate, or at least doesn't trust any > > certificates signed by it, even after I have imported it into the cacerts > > file. > > > > Has anyone done this before? > > Yup, it should work as you've described. I don't know anything about WCS > (or care to know :), but does it sign with an intermediate cert? If so, > they you'll probably have to import the intermediate cert as well (so that > Tomcat can verify BasicConstraints etc.). No intermediate certificates. Something else that is unexpected... Even when I import the actual certificate into cacerts, I still have to have the root certificate in there as well. Does tomcat always check the whole certificate chain, even if it doesn't have to? > > > > > Thanks > > Martin > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Client SSL certificates signed by Windows Certificate Server
Bill Barker wrote: > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > - Original Message - > > From: "Bill Barker" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, August 11, 2003 2:03 PM > > Subject: Re: Client SSL certificates signed by Windows Certificate Server > > > > > > > > > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > > > news:[EMAIL PROTECTED] > > > > I am trying to use Windows Certificate Server to sign my client > > > > certificates. > > > > > > > > First I tried to use a certificate that was generated in IE, but that > > > didn't > > > > seem to work (has anyone gotten this to work before?), so now I am > > trying > > > > certificates generated by IBM's keyman program. > > > > > > > > These are the steps I take: > > > > > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > > > 2. Create a certificate request based on this key pair > > > > 3. In Microsoft Certificate Server's certsrv webpage, select the > > > following > > > > options: > > > > - "Request a certificate" > > > > - "Advanced Request" > > > > - "Submit a certificate request using a base64 encoded PKCS #10 > file > > > or > > > > a renewal request using a base64 encoded PKCS #7 file" > > > > 4. Paste the certificate request into the window > > > > 5. Issue the certificate request on the server > > > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check > on > > a > > > > pending certificate" and select the saved-request certificate > > > > 7. Click on the "Download CA Certification Path" link, and save the > > > > certnew.p7b file to disk > > > > 8. In keyman, import the .p7b file. This attaches itself to the > > original > > > > key pair. > > > > 9. Save the keystore as a .p12 file > > > > 10. Import this .p12 file into IE > > > > 11. Export the signing certificate from IE into a file called > MyCA.cer > > > > 12. Import this cer file into Java's cacerts keystore > > > > 13. Restart tomcat > > > > > > > > At this stage everything should work, but it doesn't. I can only get > it > > > to > > > > work by exporting the new certificate itself into a .cer file and > > > importing > > > > that into the cacerts file. For some reason, tomcat doesn't trust > > Windows > > > > Certificate Server's root certificate, or at least doesn't trust any > > > > certificates signed by it, even after I have imported it into the > > cacerts > > > > file. > > > > > > > > Has anyone done this before? > > > > > > Yup, it should work as you've described. I don't know anything about > WCS > > > (or care to know :), but does it sign with an intermediate cert? If so, > > > they you'll probably have to import the intermediate cert as well (so > that > > > Tomcat can verify BasicConstraints etc.). > Of course it checks the entire cert chain. It would be a security hole if > it didn't (e.g. anyone could simply issue themselves a cert, and login). > All that should be required is that you have the root cert in cacerts, and > then Tomcat should validate your client-certs (w/o requiring that they be > imported). Sorry to bud into this thread... I use Apache + mod_ssl to talk with OpenSSL with Tomcat behind that. I have signed my own certificate. How do I know Apache is checking the imported certificate ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
