"Martin Jericho" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > ----- Original Message ----- > From: "Bill Barker" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, August 11, 2003 2:03 PM > Subject: Re: Client SSL certificates signed by Windows Certificate Server > > > > > > "Martin Jericho" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > I am trying to use Windows Certificate Server to sign my client > > > certificates. > > > > > > First I tried to use a certificate that was generated in IE, but that > > didn't > > > seem to work (has anyone gotten this to work before?), so now I am > trying > > > certificates generated by IBM's keyman program. > > > > > > These are the steps I take: > > > > > > 1. In keyman, generate a key pair in a PKCS#12 file. > > > 2. Create a certificate request based on this key pair > > > 3. In Microsoft Certificate Server's certsrv webpage, select the > > following > > > options: > > > - "Request a certificate" > > > - "Advanced Request" > > > - "Submit a certificate request using a base64 encoded PKCS #10 file > > or > > > a renewal request using a base64 encoded PKCS #7 file" > > > 4. Paste the certificate request into the window > > > 5. Issue the certificate request on the server > > > 6. In Microsoft Certificate Server's certsrv webpage, select "Check on > a > > > pending certificate" and select the saved-request certificate > > > 7. Click on the "Download CA Certification Path" link, and save the > > > certnew.p7b file to disk > > > 8. In keyman, import the .p7b file. This attaches itself to the > original > > > key pair. > > > 9. Save the keystore as a .p12 file > > > 10. Import this .p12 file into IE > > > 11. Export the signing certificate from IE into a file called MyCA.cer > > > 12. Import this cer file into Java's cacerts keystore > > > 13. Restart tomcat > > > > > > At this stage everything should work, but it doesn't. I can only get it > > to > > > work by exporting the new certificate itself into a .cer file and > > importing > > > that into the cacerts file. For some reason, tomcat doesn't trust > Windows > > > Certificate Server's root certificate, or at least doesn't trust any > > > certificates signed by it, even after I have imported it into the > cacerts > > > file. > > > > > > Has anyone done this before? > > > > Yup, it should work as you've described. I don't know anything about WCS > > (or care to know :), but does it sign with an intermediate cert? If so, > > they you'll probably have to import the intermediate cert as well (so that > > Tomcat can verify BasicConstraints etc.). > > No intermediate certificates. > Something else that is unexpected... Even when I import the actual > certificate into cacerts, I still have to have the root certificate in there > as well. Does tomcat always check the whole certificate chain, even if it > doesn't have to?
Of course it checks the entire cert chain. It would be a security hole if it didn't (e.g. anyone could simply issue themselves a cert, and login). All that should be required is that you have the root cert in cacerts, and then Tomcat should validate your client-certs (w/o requiring that they be imported). > > > > > > > > > Thanks > > > Martin > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
