----- Original Message ----- From: "Bill Barker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 11, 2003 2:03 PM Subject: Re: Client SSL certificates signed by Windows Certificate Server
> > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > I am trying to use Windows Certificate Server to sign my client > > certificates. > > > > First I tried to use a certificate that was generated in IE, but that > didn't > > seem to work (has anyone gotten this to work before?), so now I am trying > > certificates generated by IBM's keyman program. > > > > These are the steps I take: > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > 2. Create a certificate request based on this key pair > > 3. In Microsoft Certificate Server's certsrv webpage, select the > following > > options: > > - "Request a certificate" > > - "Advanced Request" > > - "Submit a certificate request using a base64 encoded PKCS #10 file > or > > a renewal request using a base64 encoded PKCS #7 file" > > 4. Paste the certificate request into the window > > 5. Issue the certificate request on the server > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on a > > pending certificate" and select the saved-request certificate > > 7. Click on the "Download CA Certification Path" link, and save the > > certnew.p7b file to disk > > 8. In keyman, import the .p7b file. This attaches itself to the original > > key pair. > > 9. Save the keystore as a .p12 file > > 10. Import this .p12 file into IE > > 11. Export the signing certificate from IE into a file called MyCA.cer > > 12. Import this cer file into Java's cacerts keystore > > 13. Restart tomcat > > > > At this stage everything should work, but it doesn't. I can only get it > to > > work by exporting the new certificate itself into a .cer file and > importing > > that into the cacerts file. For some reason, tomcat doesn't trust Windows > > Certificate Server's root certificate, or at least doesn't trust any > > certificates signed by it, even after I have imported it into the cacerts > > file. > > > > Has anyone done this before? > > Yup, it should work as you've described. I don't know anything about WCS > (or care to know :), but does it sign with an intermediate cert? If so, > they you'll probably have to import the intermediate cert as well (so that > Tomcat can verify BasicConstraints etc.). No intermediate certificates. Something else that is unexpected... Even when I import the actual certificate into cacerts, I still have to have the root certificate in there as well. Does tomcat always check the whole certificate chain, even if it doesn't have to? > > > > > Thanks > > Martin > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]