"joelsherriff" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >I thought that's what this step: > > # Import the CA certificate into the server keystore: > keytool -import -alias my_ca_alias -keystore > server.keystore -trustcacerts -file ca.pem -keypass changeit > > was doing. No? >
No. That's putting it into your keystoreFile. The keystoreFile is to identify you. The truststoreFile is to identify other people. > ----- Original Message ----- > From: "Bill Barker" <[EMAIL PROTECTED]> > To: <tomcat-user@jakarta.apache.org> > Sent: Friday, March 25, 2005 8:51 PM > Subject: Re: Help with SSL & Cert config > > >> You need to put your CA cert into your Tomcat truststoreFile. Otherwise, >> you client's cert won't be trusted. >> >> "joelsherriff" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> I'm resending this message because a) for some reason I didn't see it on > the >> list after I sent it and b) I never got any responses (maybe because of >> _a_). So, if my original post did actually make it to the list, please >> forgive the re-post. >> >> Hope someone can help. I've searched through the archives and this seems > to >> be a common problem, but even detailed instructions >> have left me stumped. I'm trying to get client certificates to be > required >> by tomcat by setting clientAuth=true but I can't seem to figure out how >> to get the client certificate to be accepted once I do that. Here's what >> I've done to generate all the appropriate files (parts coped from >> other posts to this list): >> >> Further elaboration of what we're trying to do: We want to require >> client >> authentication from our customers. So, IIUC, we'll have to send them a >> signed client cert (p12) to install in their browser and java keystores. >> Again, IIUC, importing the CA certificate, that was used to sign the > client >> cert, into the server keystore is what tells the server to accept the > client >> certificate presented, because it will be signed by that CA (us). Is my >> understanding correct? If so, these steps appear to be correct, unless > I've >> hosed something up along the way. >> >> # Create a private key and certificate request >> openssl req -new -subj "/C=US/ST=North >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out >> ca.csr -keyout >> ca.key >> >> # Create CA's self-signed certificate >> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out > ca.pem >> >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to >> "CERTIFICATE" >> # import ca.crt into the Trusted Root Certificates Store in IE >> >> #Import the CA certificate into the JDK certificate authorities keystore: >> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit >> >> # Create a file to hold CA's serial numbers. >> echo "02" > ca.srl >> >> # Create a keystore for the web server. >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg RSA -keypass >> changeit -storepass changeit -keysize 1024 -keystore >> server.keystore -storetype JKS >> >> # Create a certificate request for the web server: >> keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore >> server.keystore -storepass changeit >> >> # Sign the certificate request: >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in >> server.csr -out server.crt -days 365 >> >> # Import the signed server certificate into the server keystore: >> keytool -import -alias tomcat-sv -keystore >> server.keystore -trustcacerts -file server.crt -storepass changeit >> >> # Import the CA certificate into the server keystore: >> keytool -import -alias my_ca_alias -keystore >> server.keystore -trustcacerts -file ca.pem -keypass changeit >> >> # Create a client certificate request: >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout > client1.key >> >> # Sign the client certificate. >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in >> client1.req -out client1.pem -days 365 >> >> # Generate a PKCS12 file containing client key and client certificate. >> openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out >> client1.p12 -name "Client" >> >> # Import the PKCS12 file into the web browser under Personal Certificates >> >> # edit the server.xml file and set clientAuth=true and keystoreFile to > point >> to my server.keystore file. >> >> Once all this is done, neither IE nor my web app can talk to tomcat on >> the >> ssl port (8443) >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]