There's a light at the end of this tunnel - I've got it mostly working - via a browser anyway. My previous trivial problem was the imports of the CA and cert signed by that CA needed to be in the opposite order - CA first, then cert - so that keytool would accept the cert.
My next, and hopefully last problem is that I can't seem to get the command to install the client cert in the java keystore correct. I tried just a simple keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file client1.pem -alias myalias But with or without this my java client can't connect - tomcat gives a "certificate_unknown" exception. The instructions I've been using don't mention what to do to get the client cert in the java keystore. They only say: create client cert request have the ca sign it generate a pkcs12 file form it import the pkcs12 into the browser nothing about importing the client cert into the java keystore. Is there some other step I need to perform before/instead of importing the .pem into the cacerts file? ----- Original Message ----- From: "joelsherriff" <[EMAIL PROTECTED]> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> Sent: Saturday, March 26, 2005 9:07 PM Subject: Re: Help with SSL & Cert config > > > > #Import the CA certificate into the JDK certificate authorities > keystore: > > > keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file > > > ca.pem -alias myalias -keypass changeit > > > > > > > This is either/or with truststoreFile (which, since you are using 4.1.x, > is > > done with the -Djavax.net.ssl.trustStore=/path/to/trust.store; for TC 3 & > 5 > > it's configured like keystoreFile). However, you need to trust your CA > cert > > (i.e. -trustcacerts). > > So if I understand you correctly, I need to add a -trustcacerts flag to the > keytool command above > that imports the CA cert? And, since I am using 4.1 I do need > the -Djavax.net.ssl.trustStore=... in > my CATALINA_OPTS because 4.1 doesn't support the truststoreFile= in the > Coyote connector? > Not trying to be dense (I come by that naturally), just want to be clear. > > > This (and everything I've said before) is assuming that you're using the > > Coyote Connector. I don't really remember how the (deprecated) > > Http11Connector works (and don't care enough to look it up :). > > Assumption correct. > > > > # Create a file to hold CA's serial numbers. > > > echo "02" > ca.srl > > > > > > # Create a keystore for web server. > > > keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, O=MyOrg, > > > L=New > > > York, S=New York, C=US" -keyalg RSA -keypass changeit -storepass > > > changeit -keysize 1024 -keystore server.keystore -storetype JKS > > > > > > # Create a certificate request for web server: > > > keytool -certreq -keyalg RSA -alias tomcat-sv -file server.csr -keystore > > > server.keystore -storepass changeit > > > > > > # Sign the certificate request: > > > openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > > > server.csr -out server.crt -days 365 > > > > > > # Import the signed server certificate into the server keystore: > > > keytool -import -alias tomcat-sv -keystore > > > server.keystore -trustcacerts -file server.crt -storepass changeit > > > > > > > It's good practice to import the server CA as well, so that JSSE can send > > the entire chain, but at this point, I imagine you just want it to work > ;-). > > You can say that again. But, when you say the "server CA", which file are > you referring to? > > > It's also necessary if you are pointing your truststore to your keystore. > > > > > I get a 'Failed to establish chain from reply' exception at his point. > > > > > > > Since you re-created your CA, you would need to re-import it into your > > browser. However, I'm guessing that it's because of the lack of trust > > mentioned above. > > > > > > > > > > > ----- Original Message ----- > > > From: "joelsherriff" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > > Sent: Saturday, March 26, 2005 11:24 AM > > > Subject: Re: Help with SSL & Cert config > > > > > > > > >> Ah. Thanks for the help, truly, but I'm still not getting there. I > > > didn't > > >> even know about the truststoreFile so I googled it and saw mention that > > > the > > >> easiest thing to do is to set the truststoreFile = the keystoreFile, > > >> since > > >> that already has the CA cert in it. So, I tried setting truststoreFile > > >> to > > >> point to my keystoreFile in server.xml. That didn't help. Then I saw > > > that > > >> there might be issues with setting truststoreFile in the server.xml in > > >> Tomcat 4.1 so I set it in CATALINA_OPTS like: > > >> > > >> -Djavax.net.ssl.trustStore="C:/Program Files/Apache Group/Tomcat > > >> 4.1/conf/server.keystore" > > >> > > >> and that didn't help either. Anything else I'm missing? > > >> > > >> > > >> ----- Original Message ----- > > >> From: "Bill Barker" <[EMAIL PROTECTED]> > > >> To: <tomcat-user@jakarta.apache.org> > > >> Sent: Friday, March 25, 2005 10:13 PM > > >> Subject: Re: Help with SSL & Cert config > > >> > > >> > > >> > > > >> > "joelsherriff" <[EMAIL PROTECTED]> wrote in message > > >> > news:[EMAIL PROTECTED] > > >> > >I thought that's what this step: > > >> > > > > >> > > # Import the CA certificate into the server keystore: > > >> > > keytool -import -alias my_ca_alias -keystore > > >> > > server.keystore -trustcacerts -file ca.pem -keypass changeit > > >> > > > > >> > > was doing. No? > > >> > > > > >> > > > >> > No. That's putting it into your keystoreFile. The keystoreFile is > to > > >> > identify you. The truststoreFile is to identify other people. > > >> > > > >> > > ----- Original Message ----- > > >> > > From: "Bill Barker" <[EMAIL PROTECTED]> > > >> > > To: <tomcat-user@jakarta.apache.org> > > >> > > Sent: Friday, March 25, 2005 8:51 PM > > >> > > Subject: Re: Help with SSL & Cert config > > >> > > > > >> > > > > >> > >> You need to put your CA cert into your Tomcat truststoreFile. > > >> Otherwise, > > >> > >> you client's cert won't be trusted. > > >> > >> > > >> > >> "joelsherriff" <[EMAIL PROTECTED]> wrote in message > > >> > >> news:[EMAIL PROTECTED] > > >> > >> I'm resending this message because a) for some reason I didn't see > > >> > >> it > > >> on > > >> > > the > > >> > >> list after I sent it and b) I never got any responses (maybe > because > > > of > > >> > >> _a_). So, if my original post did actually make it to the list, > > > please > > >> > >> forgive the re-post. > > >> > >> > > >> > >> Hope someone can help. I've searched through the archives and > this > > >> seems > > >> > > to > > >> > >> be a common problem, but even detailed instructions > > >> > >> have left me stumped. I'm trying to get client certificates to be > > >> > > required > > >> > >> by tomcat by setting clientAuth=true but I can't seem to figure > out > > > how > > >> > >> to get the client certificate to be accepted once I do that. > Here's > > >> what > > >> > >> I've done to generate all the appropriate files (parts coped from > > >> > >> other posts to this list): > > >> > >> > > >> > >> Further elaboration of what we're trying to do: We want to > require > > >> > >> client > > >> > >> authentication from our customers. So, IIUC, we'll have to send > > >> > >> them > > > a > > >> > >> signed client cert (p12) to install in their browser and java > > >> keystores. > > >> > >> Again, IIUC, importing the CA certificate, that was used to sign > the > > >> > > client > > >> > >> cert, into the server keystore is what tells the server to accept > > >> > >> the > > >> > > client > > >> > >> certificate presented, because it will be signed by that CA (us). > > >> > >> Is > > >> my > > >> > >> understanding correct? If so, these steps appear to be correct, > > > unless > > >> > > I've > > >> > >> hosed something up along the way. > > >> > >> > > >> > >> # Create a private key and certificate request > > >> > >> openssl req -new -subj "/C=US/ST=North > > >> > >> Carolina/L=Raleigh/CN=akuma-c" -newkey rsa:1024 -nodes -out > > >> > >> ca.csr -keyout > > >> > >> ca.key > > >> > >> > > >> > >> # Create CA's self-signed certificate > > >> > >> openssl x509 -trustout -signkey ca.key -days 365 -req -in > > >> > >> ca.csr -out > > >> > > ca.pem > > >> > >> > > >> > >> # Copy ca.pem to ca.crt, edit and change "TRUSTED CERTIFICATE" to > > >> > >> "CERTIFICATE" > > >> > >> # import ca.crt into the Trusted Root Certificates Store in IE > > >> > >> > > >> > >> #Import the CA certificate into the JDK certificate authorities > > >> keystore: > > >> > >> keytool -import -keystore > > > "%JAVA_HOME%/jre/lib/security/cacerts" -file > > >> > >> ca.pem -alias my_ca_alias -keypass changeit -storepass changeit > > >> > >> > > >> > >> # Create a file to hold CA's serial numbers. > > >> > >> echo "02" > ca.srl > > >> > >> > > >> > >> # Create a keystore for the web server. > > >> > >> keytool -genkey -alias tomcat-sv -dname "CN=akuma-c, OU=R&D, > > >> > >> O=MyOrganization, L=Raleigh, S=North Carolina, C=US" -keyalg > > >> RSA -keypass > > >> > >> changeit -storepass changeit -keysize 1024 -keystore > > >> > >> server.keystore -storetype JKS > > >> > >> > > >> > >> # Create a certificate request for the web server: > > >> > >> keytool -certreq -keyalg RSA -alias tomcat-sv -file > > >> server.csr -keystore > > >> > >> server.keystore -storepass changeit > > >> > >> > > >> > >> # Sign the certificate request: > > >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > > >> > >> server.csr -out server.crt -days 365 > > >> > >> > > >> > >> # Import the signed server certificate into the server keystore: > > >> > >> keytool -import -alias tomcat-sv -keystore > > >> > >> server.keystore -trustcacerts -file server.crt -storepass changeit > > >> > >> > > >> > >> # Import the CA certificate into the server keystore: > > >> > >> keytool -import -alias my_ca_alias -keystore > > >> > >> server.keystore -trustcacerts -file ca.pem -keypass changeit > > >> > >> > > >> > >> # Create a client certificate request: > > >> > >> openssl req -new -newkey rsa:512 -nodes -out client1.req -keyout > > >> > > client1.key > > >> > >> > > >> > >> # Sign the client certificate. > > >> > >> openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in > > >> > >> client1.req -out client1.pem -days 365 > > >> > >> > > >> > >> # Generate a PKCS12 file containing client key and client > > > certificate. > > >> > >> openssl pkcs12 -export -clcerts -in client1.pem -inkey > > > client1.key -out > > >> > >> client1.p12 -name "Client" > > >> > >> > > >> > >> # Import the PKCS12 file into the web browser under Personal > > >> Certificates > > >> > >> > > >> > >> # edit the server.xml file and set clientAuth=true and > keystoreFile > > > to > > >> > > point > > >> > >> to my server.keystore file. > > >> > >> > > >> > >> Once all this is done, neither IE nor my web app can talk to > tomcat > > > on > > >> > >> the > > >> > >> ssl port (8443) > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > > >> --------------------------------------------------------------------- > > >> > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> > >> For additional commands, e-mail: > [EMAIL PROTECTED] > > >> > >> > > >> > >> > > >> > > > >> > > > >> > > > >> > > > >> > --------------------------------------------------------------------- > > >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> > For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > > >> > > > >> > > >> > > >> > > >> --------------------------------------------------------------------- > > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >> For additional commands, e-mail: [EMAIL PROTECTED] > > >> > > >> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]