To whomever can help: I'm trying to get a 2-way authentication mechanism working for Tomcat 4.1.29. I have browsed many archives and guides and have come up with some steps of commands to try and get the whole business up and running (see further down). I basically have a server and a client and I want the server to present a certificate to the client and vice versa, which the server then accepts and the user gains access to the protected resources. I am using an own CA (i.e. a self-signed one), which I employ to sign both the server and the client certificates. My problem is that even though the server seems to present to me the correct certificate when I examine it (i.e. correctly signed by my own CA), I get an error saying the following (using Mozilla to access the site): "Could not establish an encrypted connection, because certificate presented by <server> is invalid or corrupted. Error Code: -8182" I looked this up in the Mozilla error codes database and it had the annotation "Peer's certificate has an invalid signature". I am really confused as to why this doesn't work. The exact steps I have taken for the whole process are as follows: ==================
SETTING UP OWN CA ================== 1. Create directory "certificates" and subdirectories - ca - server - client 2. Create private key and certificate request for our own CA: (from root dir) openssl req -new -newkey rsa:1024 -nodes -out certificates/ca/ca.csr -keyout certificates/ca/ca.key -config /homes/ts200m/certificates/openssl.cnf Country Name [C] = GB State/Province Name [ST] = London Locality Name [L] = London Organization Name [O] = Imperial College London Organizational Unit Name [OU] = London e-Science Centre Common Name [CN] = ca.lesc.ic.ac.uk EMail Address [Email] = [EMAIL PROTECTED] Challenge Password = changeit 3. Create our CA's self-signed certificate: openssl x509 -trustout -signkey certificates/ca/ca.key -days 365 -req -in certificates/ca/ca.csr -out certificates/ca/ca.pem cp certificates/ca/ca.pem certificates/ca/ca.crt vim certificates/ca/ca.crt edit "ca.crt" so that strings "TRUSTED CERTIFICATE" read "CERTIFICATE" 4. Copy JDK Certificate Authorities Keystore into Tomcat root dir: cp $JAVA_HOME/jre/lib/security/cacerts tomcat/ chmod 0755 tomcat/cacerts 5. Import CA certificate into "cacerts": keytool -import -trustcacerts -keystore tomcat/cacerts -file certificates/ca/ca.pem -alias LeSC-CA Keystore Password = changeit Should get "Certificate was added to keystore" message 6. Create file to hold CA's serial numbers: echo "02" > certificates/ca/ca.srl ====================== SETTING UP WEB SERVER ====================== 1. Create keystore for server: (This creates a keystore, as well as a self-signed certificate with the details provided) keytool -genkey -alias server -dname "CN=epic-server.lesc.ic.ac.uk, O=Imperial College London, OU=London e-Science Centre, L=London, S=London, C=GB" -keysize 1024 -keystore certificates/server/server.ks -keypass changeit -storepass changeit -storetype JKS -validity 365 2. Create certificate request for web server: keytool -certreq -keystore certificates/server/server.ks -storepass changeit -alias server -file certificates/server/server.csr 3. Sign certificate request with own CA: openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key -CAserial certificates/ca/ca.srl -req -in certificates/server/server.csr -out certificates/server/server.crt -days 365 4. Import CA certificate into keystore as root certificate: (don't know if -trustcacerts is required...) keytool -import -alias root -keystore certificates/server/server.ks -storepass changeit -trustcacerts -keyalg RSA -file certificates/ca/ca.pem Should see message "Certificate was added to keystore" after import 5. Import signed server certificate into server keystore: (This should replace the self-signed cerificate with alias "server" that was created when the keystore was created) keytool -import -alias server -keystore certificates/server/server.ks -storepass changeit -keyalg RSA -file certificates/server/server.crt Should see message "Certificate reply was installed in keystore" after import 6. Move keystore file to Tomcat's root dir: mv certificates/server/server.ks tomcat/ chmod 0755 tomcat/server.ks 7. Set up SSL Connector for Tomcat (edit file tomcat/conf/server.xml): <!-- Define a SSL Coyote HTTP/1.1 Connector on port 55556 --> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="55556" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="100" debug="0" scheme="https" secure="true" useURIValidationHack="false" disableUploadTimeout="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="true" protocol="TLS" keystoreFile="server.ks" keystorePass="changeit" truststoreFile="cacerts" truststorePass="changeit"/> </Connector> ===================== SET UP AN SSL CLIENT ===================== 1. Create a client certificate request openssl req -new -newkey rsa:512 -nodes -out certificates/client/client1.req -keyout certificates/client/client1.key -config /homes/ts200m/certificates/openssl.cnf Country Name = GB State/Province Name = London Locality Name = London Organization Name = Imperial College Organizational Unit Name = Department of Computing Common Name = Tamas Suto Email Address = [EMAIL PROTECTED] Challenge Password = changeit 2. Have CA sign client cerificate: openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key -CAserial certificates/ca/ca.srl -req -in certificates/client/client1.req -out certificates/client/client1.pem -days 365 3. Generate PKCS12 file containing client key and certificate: openssl pkcs12 -export -clcerts -in certificates/client/client1.pem -inkey certificates/client/client1.key -out certificates/client/client1.p12 -name "EPIC Client Certificate" Export Password = changeit 4. Import PKCS12 certificate file into browser and use as client certificate and key If anyone could help me spot where something has gone wron, I would be most thankful. I have already spent weeks trying to get this working without any success. Thanks for any help in advance. Best regards, Tamas Suto
