I thought that's what this step: # Import the CA certificate into the server keystore: keytool -import -alias my_ca_alias -keystore server.keystore -trustcacerts -file ca.pem -keypass changeit
was doing. No? ----- Original Message ----- From: "Bill Barker" <[EMAIL PROTECTED]> To: <tomcat-user@jakarta.apache.org> Sent: Friday, March 25, 2005 8:51 PM Subject: Re: Help with SSL & Cert config > You need to put your CA cert into your Tomcat truststoreFile. Otherwise, > you client's cert won't be trusted. > > "joelsherriff" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > I'm resending this message because a) for some reason I didn't see it on the > list after I sent it and b) I never got any responses (maybe because of > _a_). So, if my original post did actually make it to the list, please > forgive the re-post. > > Hope someone can help. I've searched through the archives and this seems to > be a common problem, but even detailed instructions > have left me stumped. I'm trying to get client certificates to be required > by tomcat by setting clientAuth=true but I can't seem to figure out how > to get the client certificate to be accepted once I do that. Here's what > I've done to generate all the appropriate files (parts coped from > other posts to this list): > > Further elaboration of what we're trying to do: We want to require client > authentication from our customers. So, IIUC, we'll have to send them a > signed client cert (p12) to install in their browser and java keystores. > Again, IIUC, importing the CA certificate, that was used to sign the client > cert, into the server keystore is what tells the server to accept the client > certificate presented, because it will be signed by that CA (us). Is my > understanding correct? If so, these steps appear to be correct, unless I've > hosed something up along the way. > > # Create a private key and certificate request > openssl req -new -subj "/C=US/ST=North > Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout > ca.key > > # Create CA's self-signed certificate > openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem > > # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to > "CERTIFICATE" > # import ca.crt into the Trusted Root Certificates Store in IE > > #Import the CA certificate into the JDK certificate authorities keystore: > keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file > ca.pem -alias my_ca_alias -keypass changeit -storepass changeit > > # Create a file to hold CA's serial numbers. > echo "02" > ca.srl > > # Create a keystore for the web server. > keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, > O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass > changeit -storepass changeit -keysize 1024 -keystore > server.keystore -storetype JKS > > # Create a certificate request for the web server: > keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore > server.keystore -storepass changeit > > # Sign the certificate request: > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > server.csr -out server.crt -days 365 > > # Import the signed server certificate into the server keystore: > keytool -import -alias tomcat-sv -keystore > server.keystore -trustcacerts -file server.crt -storepass changeit > > # Import the CA certificate into the server keystore: > keytool -import -alias my_ca_alias -keystore > server.keystore -trustcacerts -file ca.pem -keypass changeit > > # Create a client certificate request: > openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout client1.key > > # Sign the client certificate. > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > client1.req -out client1.pem -days 365 > > # Generate a PKCS12 file containing client key and client certificate. > openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out > client1.p12 -name "Client" > > # Import the PKCS12 file into the web browser under Personal Certificates > > # edit the server.xml file and set clientAuth=true and keystoreFile to point > to my server.keystore file. > > Once all this is done, neither IE nor my web app can talk to tomcat on the > ssl port (8443) > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]