> > #Import the CA certificate into the JDK certificate authorities keystore: > > keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file > > ca.pem -alias myalias -keypass changeit > > > > This is either/or with truststoreFile (which, since you are using 4.1.x, is > done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 & 5 > it's configured like keystoreFile). However, you need to trust your CA cert > (i.e. -trustcacerts).
So if I understand you correctly, I need to add a -trustcacerts flag to the keytool command above that imports the CA cert? And, since I am using 4.1 I do need the -Djavax.net.ssl.trustStore=... in my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the Coyote connector? Not trying to be dense (I come by that naturally), just want to be clear. > This (and everything I've said before) is assuming that you're using the > Coyote Connector. I don't really remember how the (deprecated) > Http11Connector works (and don't care enough to look it up :). Assumption correct. > > # Create a file to hold CA's serial numbers. > > echo "02" > ca.srl > > > > # Create a keystore for web server. > > keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg, > > L=New > > York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass > > changeit -keysize 1024 -keystore server.keystore -storetype JKS > > > > # Create a certificate request for web server: > > keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore > > server.keystore -storepass changeit > > > > # Sign the certificate request: > > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > > server.csr -out server.crt -days 365 > > > > # Import the signed server certificate into the server keystore: > > keytool -import -alias tomcat-sv -keystore > > server.keystore -trustcacerts -file server.crt -storepass changeit > > > > It's good practice to import the server CA as well, so that JSSE can send > the entire chain, but at this point, I imagine you just want it to work ;-). You can say that again. But, when you say the "server CA", which file are you referring to? > It's also necessary if you are pointing your truststore to your keystore. > > > I get a 'Failed to establish chain from reply' exception at his point. > > > > Since you re-created your CA, you would need to re-import it into your > browser. However, I'm guessing that it's because of the lack of trust > mentioned above. > > > > > > > ----- Original Message ----- > > From: "joelsherriff" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > Sent: Saturday, March 26, 2005 11:24 AM > > Subject: Re: Help with SSL & Cert config > > > > > >> Ah. Thanks for the help, truly, but I'm still not getting there. I > > didn't > >> even know about the truststoreFile so I googled it and saw mention that > > the > >> easiest thing to do is to set the truststoreFile = the keystoreFile, > >> since > >> that already has the CA cert in it. So, I tried setting truststoreFile > >> to > >> point to my keystoreFile in server.xml. That didn't help. Then I saw > > that > >> there might be issues with setting truststoreFile in the server.xml in > >> Tomcat 4.1 so I set it in CATALINA_OPTS like: > >> > >> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat > >> 4.1/conf/server.keystore" > >> > >> and that didn't help either. Anything else I'm missing? > >> > >> > >> ----- Original Message ----- > >> From: "Bill Barker" <[EMAIL PROTECTED]> > >> To: <tomcat-user@jakarta.apache.org> > >> Sent: Friday, March 25, 2005 10:13 PM > >> Subject: Re: Help with SSL & Cert config > >> > >> > >> > > >> > "joelsherriff" <[EMAIL PROTECTED]> wrote in message > >> > news:[EMAIL PROTECTED] > >> > >I thought that's what this step: > >> > > > >> > > # Import the CA certificate into the server keystore: > >> > > keytool -import -alias my_ca_alias -keystore > >> > > server.keystore -trustcacerts -file ca.pem -keypass changeit > >> > > > >> > > was doing. No? > >> > > > >> > > >> > No. That's putting it into your keystoreFile. The keystoreFile is to > >> > identify you. The truststoreFile is to identify other people. > >> > > >> > > ----- Original Message ----- > >> > > From: "Bill Barker" <[EMAIL PROTECTED]> > >> > > To: <tomcat-user@jakarta.apache.org> > >> > > Sent: Friday, March 25, 2005 8:51 PM > >> > > Subject: Re: Help with SSL & Cert config > >> > > > >> > > > >> > >> You need to put your CA cert into your Tomcat truststoreFile. > >> Otherwise, > >> > >> you client's cert won't be trusted. > >> > >> > >> > >> "joelsherriff" <[EMAIL PROTECTED]> wrote in message > >> > >> news:[EMAIL PROTECTED] > >> > >> I'm resending this message because a) for some reason I didn't see > >> > >> it > >> on > >> > > the > >> > >> list after I sent it and b) I never got any responses (maybe because > > of > >> > >> _a_). So, if my original post did actually make it to the list, > > please > >> > >> forgive the re-post. > >> > >> > >> > >> Hope someone can help. I've searched through the archives and this > >> seems > >> > > to > >> > >> be a common problem, but even detailed instructions > >> > >> have left me stumped. I'm trying to get client certificates to be > >> > > required > >> > >> by tomcat by setting clientAuth=true but I can't seem to figure out > > how > >> > >> to get the client certificate to be accepted once I do that. Here's > >> what > >> > >> I've done to generate all the appropriate files (parts coped from > >> > >> other posts to this list): > >> > >> > >> > >> Further elaboration of what we're trying to do: We want to require > >> > >> client > >> > >> authentication from our customers. So, IIUC, we'll have to send > >> > >> them > > a > >> > >> signed client cert (p12) to install in their browser and java > >> keystores. > >> > >> Again, IIUC, importing the CA certificate, that was used to sign the > >> > > client > >> > >> cert, into the server keystore is what tells the server to accept > >> > >> the > >> > > client > >> > >> certificate presented, because it will be signed by that CA (us). > >> > >> Is > >> my > >> > >> understanding correct? If so, these steps appear to be correct, > > unless > >> > > I've > >> > >> hosed something up along the way. > >> > >> > >> > >> # Create a private key and certificate request > >> > >> openssl req -new -subj "/C=US/ST=North > >> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out > >> > >> ca.csr -keyout > >> > >> ca.key > >> > >> > >> > >> # Create CA's self-signed certificate > >> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in > >> > >> ca.csr -out > >> > > ca.pem > >> > >> > >> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to > >> > >> "CERTIFICATE" > >> > >> # import ca.crt into the Trusted Root Certificates Store in IE > >> > >> > >> > >> #Import the CA certificate into the JDK certificate authorities > >> keystore: > >> > >> keytool -import -keystore > > "%JAVA_HOME%/jre/lib/security/cacerts" -file > >> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit > >> > >> > >> > >> # Create a file to hold CA's serial numbers. > >> > >> echo "02" > ca.srl > >> > >> > >> > >> # Create a keystore for the web server. > >> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, > >> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg > >> RSA -keypass > >> > >> changeit -storepass changeit -keysize 1024 -keystore > >> > >> server.keystore -storetype JKS > >> > >> > >> > >> # Create a certificate request for the web server: > >> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file > >> server.csr -keystore > >> > >> server.keystore -storepass changeit > >> > >> > >> > >> # Sign the certificate request: > >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > >> > >> server.csr -out server.crt -days 365 > >> > >> > >> > >> # Import the signed server certificate into the server keystore: > >> > >> keytool -import -alias tomcat-sv -keystore > >> > >> server.keystore -trustcacerts -file server.crt -storepass changeit > >> > >> > >> > >> # Import the CA certificate into the server keystore: > >> > >> keytool -import -alias my_ca_alias -keystore > >> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit > >> > >> > >> > >> # Create a client certificate request: > >> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout > >> > > client1.key > >> > >> > >> > >> # Sign the client certificate. > >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > >> > >> client1.req -out client1.pem -days 365 > >> > >> > >> > >> # Generate a PKCS12 file containing client key and client > > certificate. > >> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey > > client1.key -out > >> > >> client1.p12 -name "Client" > >> > >> > >> > >> # Import the PKCS12 file into the web browser under Personal > >> Certificates > >> > >> > >> > >> # edit the server.xml file and set clientAuth=true and keystoreFile > > to > >> > > point > >> > >> to my server.keystore file. > >> > >> > >> > >> Once all this is done, neither IE nor my web app can talk to tomcat > > on > >> > >> the > >> > >> ssl port (8443) > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> --------------------------------------------------------------------- > >> > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > >> > > >> > > >> > > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > For additional commands, e-mail: [EMAIL PROTECTED] > >> > > >> > > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
