Well I have more info now. I turned on debugging and saw that I'm getting a 'null cert chain' SSLHandshakeException. So, I started from scratch and went through each of my steps one by one and I've apparently got one of them wrong. Now when I do these steps:
# Create a private key and certificate request for your own CA: openssl req -new -subj "/C=US/ST=New York/L=New York/CN=akuma-c" -newkey rsa:1024 -nodes -out ca.csr -keyout ca.key # Create CA's self-signed certificate openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem #Import the CA certificate into the JDK certificate authorities keystore: keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file ca.pem -alias myalias -keypass changeit # Create a file to hold CA's serial numbers. echo "02" > ca.srl # Create a keystore for web server. keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg, L=New York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass changeit -keysize 1024 -keystore server.keystore -storetype JKS # Create a certificate request for web server: keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore server.keystore -storepass changeit # Sign the certificate request: openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in server.csr -out server.crt -days 365 # Import the signed server certificate into the server keystore: keytool -import -alias tomcat-sv -keystore server.keystore -trustcacerts -file server.crt -storepass changeit I get a 'Failed to establish chain from reply' exception at his point. ----- Original Message ----- From: "joelsherriff" <[EMAIL PROTECTED]> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> Sent: Saturday, March 26, 2005 11:24 AM Subject: Re: Help with SSL & Cert config > Ah. Thanks for the help, truly, but I'm still not getting there. I didn't > even know about the truststoreFile so I googled it and saw mention that the > easiest thing to do is to set the truststoreFile = the keystoreFile, since > that already has the CA cert in it. So, I tried setting truststoreFile to > point to my keystoreFile in server.xml. That didn't help. Then I saw that > there might be issues with setting truststoreFile in the server.xml in > Tomcat 4.1 so I set it in CATALINA_OPTS like: > > -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat > 4.1/conf/server.keystore" > > and that didn't help either. Anything else I'm missing? > > > ----- Original Message ----- > From: "Bill Barker" <[EMAIL PROTECTED]> > To: <tomcat-user@jakarta.apache.org> > Sent: Friday, March 25, 2005 10:13 PM > Subject: Re: Help with SSL & Cert config > > > > > > "joelsherriff" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > >I thought that's what this step: > > > > > > # Import the CA certificate into the server keystore: > > > keytool -import -alias my_ca_alias -keystore > > > server.keystore -trustcacerts -file ca.pem -keypass changeit > > > > > > was doing. No? > > > > > > > No. That's putting it into your keystoreFile. The keystoreFile is to > > identify you. The truststoreFile is to identify other people. > > > > > ----- Original Message ----- > > > From: "Bill Barker" <[EMAIL PROTECTED]> > > > To: <tomcat-user@jakarta.apache.org> > > > Sent: Friday, March 25, 2005 8:51 PM > > > Subject: Re: Help with SSL & Cert config > > > > > > > > >> You need to put your CA cert into your Tomcat truststoreFile. > Otherwise, > > >> you client's cert won't be trusted. > > >> > > >> "joelsherriff" <[EMAIL PROTECTED]> wrote in message > > >> news:[EMAIL PROTECTED] > > >> I'm resending this message because a) for some reason I didn't see it > on > > > the > > >> list after I sent it and b) I never got any responses (maybe because of > > >> _a_). So, if my original post did actually make it to the list, please > > >> forgive the re-post. > > >> > > >> Hope someone can help. I've searched through the archives and this > seems > > > to > > >> be a common problem, but even detailed instructions > > >> have left me stumped. I'm trying to get client certificates to be > > > required > > >> by tomcat by setting clientAuth=true but I can't seem to figure out how > > >> to get the client certificate to be accepted once I do that. Here's > what > > >> I've done to generate all the appropriate files (parts coped from > > >> other posts to this list): > > >> > > >> Further elaboration of what we're trying to do: We want to require > > >> client > > >> authentication from our customers. So, IIUC, we'll have to send them a > > >> signed client cert (p12) to install in their browser and java > keystores. > > >> Again, IIUC, importing the CA certificate, that was used to sign the > > > client > > >> cert, into the server keystore is what tells the server to accept the > > > client > > >> certificate presented, because it will be signed by that CA (us). Is > my > > >> understanding correct? If so, these steps appear to be correct, unless > > > I've > > >> hosed something up along the way. > > >> > > >> # Create a private key and certificate request > > >> openssl req -new -subj "/C=US/ST=North > > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out > > >> ca.csr -keyout > > >> ca.key > > >> > > >> # Create CA's self-signed certificate > > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in ca.csr -out > > > ca.pem > > >> > > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to > > >> "CERTIFICATE" > > >> # import ca.crt into the Trusted Root Certificates Store in IE > > >> > > >> #Import the CA certificate into the JDK certificate authorities > keystore: > > >> keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file > > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit > > >> > > >> # Create a file to hold CA's serial numbers. > > >> echo "02" > ca.srl > > >> > > >> # Create a keystore for the web server. > > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, > > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg > RSA -keypass > > >> changeit -storepass changeit -keysize 1024 -keystore > > >> server.keystore -storetype JKS > > >> > > >> # Create a certificate request for the web server: > > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file > server.csr -keystore > > >> server.keystore -storepass changeit > > >> > > >> # Sign the certificate request: > > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > > >> server.csr -out server.crt -days 365 > > >> > > >> # Import the signed server certificate into the server keystore: > > >> keytool -import -alias tomcat-sv -keystore > > >> server.keystore -trustcacerts -file server.crt -storepass changeit > > >> > > >> # Import the CA certificate into the server keystore: > > >> keytool -import -alias my_ca_alias -keystore > > >> server.keystore -trustcacerts -file ca.pem -keypass changeit > > >> > > >> # Create a client certificate request: > > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout > > > client1.key > > >> > > >> # Sign the client certificate. > > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > > >> client1.req -out client1.pem -days 365 > > >> > > >> # Generate a PKCS12 file containing client key and client certificate. > > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey client1.key -out > > >> client1.p12 -name "Client" > > >> > > >> # Import the PKCS12 file into the web browser under Personal > Certificates > > >> > > >> # edit the server.xml file and set clientAuth=true and keystoreFile to > > > point > > >> to my server.keystore file. > > >> > > >> Once all this is done, neither IE nor my web app can talk to tomcat on > > >> the > > >> ssl port (8443) > > >> > > >> > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]