Bill Barker wrote: > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > ----- Original Message ----- > > From: "Bill Barker" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, August 11, 2003 2:03 PM > > Subject: Re: Client SSL certificates signed by Windows Certificate Server > > > > > > > > > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > > > news:[EMAIL PROTECTED] > > > > I am trying to use Windows Certificate Server to sign my client > > > > certificates. > > > > > > > > First I tried to use a certificate that was generated in IE, but that > > > didn't > > > > seem to work (has anyone gotten this to work before?), so now I am > > trying > > > > certificates generated by IBM's keyman program. > > > > > > > > These are the steps I take: > > > > > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > > > 2. Create a certificate request based on this key pair > > > > 3. In Microsoft Certificate Server's certsrv webpage, select the > > > following > > > > options: > > > > - "Request a certificate" > > > > - "Advanced Request" > > > > - "Submit a certificate request using a base64 encoded PKCS #10 > file > > > or > > > > a renewal request using a base64 encoded PKCS #7 file" > > > > 4. Paste the certificate request into the window > > > > 5. Issue the certificate request on the server > > > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check > on > > a > > > > pending certificate" and select the saved-request certificate > > > > 7. Click on the "Download CA Certification Path" link, and save the > > > > certnew.p7b file to disk > > > > 8. In keyman, import the .p7b file. This attaches itself to the > > original > > > > key pair. > > > > 9. Save the keystore as a .p12 file > > > > 10. Import this .p12 file into IE > > > > 11. Export the signing certificate from IE into a file called > MyCA.cer > > > > 12. Import this cer file into Java's cacerts keystore > > > > 13. Restart tomcat > > > > > > > > At this stage everything should work, but it doesn't. I can only get > it > > > to > > > > work by exporting the new certificate itself into a .cer file and > > > importing > > > > that into the cacerts file. For some reason, tomcat doesn't trust > > Windows > > > > Certificate Server's root certificate, or at least doesn't trust any > > > > certificates signed by it, even after I have imported it into the > > cacerts > > > > file. > > > > > > > > Has anyone done this before? > > > > > > Yup, it should work as you've described. I don't know anything about > WCS > > > (or care to know :), but does it sign with an intermediate cert? If so, > > > they you'll probably have to import the intermediate cert as well (so > that > > > Tomcat can verify BasicConstraints etc.).
> Of course it checks the entire cert chain. It would be a security hole if > it didn't (e.g. anyone could simply issue themselves a cert, and login). > All that should be required is that you have the root cert in cacerts, and > then Tomcat should validate your client-certs (w/o requiring that they be > imported). Sorry to bud into this thread... I use Apache + mod_ssl to talk with OpenSSL with Tomcat behind that. I have signed my own certificate. How do I know Apache is checking the imported certificate ?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]