Re: SSL Client authentication with standalone Tomcat
Wolfgang Stein [EMAIL PROTECTED] writes: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. First, sorry for not responding earlier to this thread. My laptop died and stopped my forward momentum for a few days. This solved my problem; I had thought I needed to do something like that, but hadn't known how, exactly. Thanks a lot! -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Client authentication with standalone Tomcat
Hi, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Palmer Sent: Tuesday, February 26, 2002 12:58 PM To: [EMAIL PROTECTED] Subject: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) And I bet client certificate should be signed in specific way. Some guys mentioned that you can find some help at openSSL site. -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file. If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Gruß, Wolfgang Anton Brazhnyk wrote I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is taken from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: SSL Client authentication with standalone Tomcat
Hi Wolfgang, -Original Message- From: Wolfgang Stein [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 3:19 PM To: [EMAIL PROTECTED] Subject: Re: SSL Client authentication with standalone Tomcat Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file. If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Actually I meant importaing server certificate, since there wasn't -trustcacerts in statement with -alias tomcat. And, well, I'm not sure again... :) Client cert should be signed with sertificate of the server (not just with CA certificate) Gru?, Wolfgang Anton Brazhnyk wrote I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is taken from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. Anton -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Reposting: SSL Client authentication with standalone Tomcat
I repost this because it didn't show up on the list but a subsequent posting already did: The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. This part should read: The client browser scans his (previously imported) client certs for a matching cert issuer/signer, fills / pops up a choice dialog box to select a client cert from, and sends (?) the users selection back to the server. This choice box was usually empty in MS IE. Read my previous posting Any success with Tomcat 4.0.2 and client certificates in MS IE ? Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. You will face a difference in comparism of the ca certs between nestcape / MS IE. Gruß, Wolfgang -Ursprüngliche Nachricht- Von: Brian Palmer [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 26. Februar 2002 11:58 An: [EMAIL PROTECTED] Betreff: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: SSL Client authentication with standalone Tomcat
The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. This part should read: The client browser scans his (previously imported) client certs for a matching cert issuer/signer, fills / pops up a choice dialog box to select a client cert from, and sends (?) the users selection back to the server. This choice box was usually empty in MS IE. Read my previous posting Any success with Tomcat 4.0.2 and client certificates in MS IE ? Wolfgang Stein wrote: As far as i understand the client-auth handshake, the server sends a list of trusted CAs to the client. This list is take from JAVA_HOME_set_in_your_tomcat\lib\security\cacerts So you have to import your CA-cert into that file, instead of your .keystore . There is no need to import the client cert into cacerts or keystore. The client browser scans his (previously imported) client certs for a matching cert isssuer/signer and sends (?) this to the server. You will face a difference in comparism of the ca certs between nestcape / MS IE. Gruß, Wolfgang -Ursprüngliche Nachricht- Von: Brian Palmer [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 26. Februar 2002 11:58 An: [EMAIL PROTECTED] Betreff: SSL Client authentication with standalone Tomcat I'm trying to set up for a simple project client-authentication and CA abilities, using standalone tomcat and openssl. I'm not having luck. The short version is, when I enable clientAuth, I am unable to connect to the server, getting various messages (in Mozilla 0.9.8, I get no error messages but the page will not load, using openssl s_client I get a write error). Forgive me in advance for this long message, but my hope is that by explicitly stating what I'm doing, it will be easy for someone more experienced to see where I'm going wrong. I've spent much of the last 2 days searching online for information and trying different approaches; most of the problems/solutions don't give a lot of details I've done the following: Step 1: Generate the tomcat request for certificate keytool -genkey -alias tomcat -keyalg RSA keytool -certreq -alias tomcat -file my.csr Step 2: Generate the ca certificate openssl req -new -newkey rsa:512 -nodes -out ca.req \ -keyout ca.key openssl x509 -trustout -signkey ca.key -days 365 \ -req -in ca.req -out ca.crt Step 3: Sign the tomcat request to generate tomcat certificate openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ -out my.crt -req -CAcreateserial Step 4: Import both into my keystore keytool -import -file ca.crt -alias RootCert keytool -import -file my.crt -alias tomcat I can then stop and restart tomcat, and non-client-authenticated https works. I then go on to Step 5: Generate a client certificate openssl req -new -newkey rsa:512 -nodes \ -out client.req -keyout client.key openssl x509 -CA ca.crt -CAkey ca.key \ -req -in client.req \ -out client.crt I then enable clientAuth=true, and try to connect to tomcat using the openssl s_client: openssl s_client -cert client.crt -key client.key \ -connect localhost:8443 and get the following output: CONNECTED(0003) depth=1 /C=US/ST=California/L=Stanford/O=Stanford University/OU=CSD/CN=UStorit [EMAIL PROTECTED] verify error:num=19:self signed certificate in certificate chain verify return:0 write:errno=104 Any ideas? Or ideas on how to debug this? (I'm coming up against a deadline, so any hints much appreciated) -- Brian Palmer Whoever fights monsters should see to it that in the process he does not become a monster. And when you look long into an abyss, the abyss also looks into you - Nietzsche -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]