Hi All Nothing seems to work out for me whith client auth. Here is what 've done
CA and Certificates 1) perl CA.pl -newca 2) perl CA.pl -newreq 3) perl CA.pl -sign 4) openssl rsa < newreq.pem > server_key.pem 5) mv newcert.pem server_cert.pem 6) mv newreq.pem server_req.pem 7) perl CA.pl -newreq 8) perl CA.pl -sign 9) mv newreq.pem client_req.pem 10) mv newcert.pem client_cert.pem 11) openssl rsa < client_req.pem > client_key.pem 12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 13) openssl x509 -in server_cert.pem -out server.x509 14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem -out server.p12 15) keytool -genkey -alias tomcat -storepass changeit 16) keytool -import -alias TomcatCA -file demoCA/cacert.pem I then import the CA's self signed certificate to the clients machine along with the p12 certficicate My Tomcat-users.xml file <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <role rolename="manager"/> <role rolename="certs"/> <role rolename="admin"/> <user username="mahesh" password="mahesh" roles="admin,manager"/> <user username="CN=Mahesh, OU=SAD, O=Robosoft, L=UDP, ST=Kar, C=IN" password="" roles="tomcat,certs"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> </tomcat-users> Where am i going wrong? Even if the certificates are in the client's mcahine the certificates identity windows alowys pop's up Regards & Thanks ================ Mahesh S Kudva -----Original Message----- From: Mark Thomas <[EMAIL PROTECTED]> To: Tomcat Users List <tomcat-user@jakarta.apache.org> Date: Tue, 03 May 2005 23:00:57 +0100 Subject: Re: Client Authentication > The CN for your server cert can be anything you like but you will get a > warning in your browser if the CN differs from how you express it in > the > URL. > > The user needs to look something like this > <user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB" > password="null" roles="tomcat,certs"/> > in tomcat-users. It must be the full DN of the user certificate. > > HTH, > > Mark > > Mahesh S Kudva wrote: > > Hi > > > > It seems like a silly question. But I am new to SSL and Certificates > as > > well as Tomcat. > > > > If my machines IP is 192.168.0.1 then I access tomcat as > > https://192.168.0.1:8443. Keeping this mind should I give the Common > Name > > as 192.168.0.1 ??? > > > > How do I specify the client info in the tomcat-users.xml? > > > > <user name=mahesh password=kudva role="admin"> > > > > This is how my tomcat-users.xml file looks like. > > > > Regards & Thanks > > ================ > > Mahesh S Kudva > > > > > > -----Original Message----- > > From: "lercoli" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > Date: Tue, 3 May 2005 14:33:46 +0200 > > Subject: Re: Client Authentication > > > > > >>CA and Tomcat common name should be the same (localhost or better > your > >>DNS). > >>First and Last Name of client sould the name of a Tomcat user > declared > >>in > >>tomcat-users.xml. > >> > >>Luca Ercoli > >> > >>----- Original Message ----- > >>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > >>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > >>Sent: Tuesday, May 03, 2005 1:41 PM > >>Subject: Re: Client Authentication > >> > >> > >> > >>>Hi > >>> > >>>What kind of information do i need to put in the fields of First and > >> > >>Last > >> > >>>name and Common name. Will any information do or is it required that > >> > >>I > >> > >>>need to put in the server address in the client.p12 certificate.. > >>> > >>>Regards & Thanks > >>>================ > >>>Mahesh S Kudva > >>> > >>> > >>>-----Original Message----- > >>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > >>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > >>>Date: Mon, 02 May 2005 23:04:50 +0530 > >>>Subject: Re: Client Authentication > >>> > >>> > >>>>Hi > >>>> > >>>>I tried with client.p12 first, when i failed I went on with > >>>>client_cert.x509. I placed it in the personal folder ... > >>>> > >>>>Regards & Thanks > >>>>================ > >>>>Mahesh S Kudva > >>>> > >>>> > >>>>-----Original Message----- > >>>>From: "lercoli" <[EMAIL PROTECTED]> > >>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > >>>>Date: Mon, 2 May 2005 17:31:54 +0200 > >>>>Subject: Re: Client Authentication > >>>> > >>>> > >>>>>You should import only client.p12 certificate in IE browser and > >>>>>when IE asks you in which folder you want to put it select > >> > >>Personal > >> > >>>>>Folder. > >>>>> > >>>>>I hope it helps you. > >>>>> > >>>>>Luca Ercoli > >>>>> > >>>>> > >>>>>----- Original Message ----- > >>>>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > >>>>>To: <tomcat-user@jakarta.apache.org> > >>>>>Sent: Monday, May 02, 2005 5:08 PM > >>>>>Subject: Client Authentication > >>>>> > >>>>> > >>>>> > >>>>>>Dear All > >>>>>> > >>>>>>I've been able to setup Tomcat 5.0.30 successfully on port > >> > >>8443. I > >> > >>>>>want to > >>>>> > >>>>>>use client authentication. Hence i've enabled clientAuth=true > >> > >>in > >> > >>>>>>server.xml > >>>>>> > >>>>>>Running on Mac OS X these were the commands to create a CA and > >> > >>sign > >> > >>>>a > >>>> > >>>>>>certificate using this CA. > >>>>>> > >>>>>>Creating a new CA: > >>>>>>1) perl CA.pl -newca > >>>>>> > >>>>>>Certificate request using openssl: > >>>>>>1) perl CA.pl -newreq > >>>>>>2) perl CA.pl -sign > >>>>>>3) mv newreq.pem client_req.pem > >>>>>>4) mv newcert.pem client_cert.pem > >>>>>>5) openssl rsa < client_req.pem > client_key.pem > >>>>>>6) openssl pkcs12 -export -in client_cert.pem -inkey > >> > >>client_key.pem > >> > >>>>>-out > >>>>> > >>>>>> client.p12 > >>>>>> > >>>>>>For Tomcat using Java keytool to request certificate: > >>>>>>1) openssl x509 -in server_cert.pem -out server.x509 > >>>>>>2) openssl pkcs12 -export -in server_cert.pem -inkey > >> > >>server_key.pem > >> > >>>>>> -out server.p12 > >>>>>>3) keytool -genkey -alias meAsClient -storepass changeit > >>>>>>4) keytool -certreq -alias measclient -file client.csr > >> > >>-storepass > >> > >>>>>changeit > >>>>> > >>>>>>5) openssl x509 -req -CA demoCA/cacert.pem -CAkey > >>>>>> demoCA/private/cakey.pem -extensions v3_ca -in client.csr > >>>> > >>>>-inform > >>>> > >>>>>DER > >>>>> > >>>>>> -out client_cert.x509 -CAcreateserial > >>>>>>6) keytool -import -alias butterflyCA -keystore /Syst.. > >>>>> > >>>>>..urity/cacerts > >>>>> > >>>>>> -file ../CA/demoCA/cacert.pem > >>>>>>7) keytool -import -alias measclient -keystore clientstore > >>>>> > >>>>>-trustcacerts > >>>>> > >>>>>> -file client_cert.x509 > >>>>>> > >>>>>> > >>>>>>Following these commands I dont get any errors. I then import > >> > >>the > >> > >>>>>>cacert.pem, the ROOT CA certificate and the client.p12 and > >>>>>>client_cert.x509 to the browser I.E 6.0. But still there is a > >> > >>popup > >> > >>>>>>requesting for the clients identity and it asks me to select a > >>>>>>certificate and no certificates are displayed. > >>>>>> > >>>>>>How can I go about this? > >>>>>> > >>>>>> > >>>>>>All suggestion and ideas are welcome. > >>>>>> > >>>>>> > >>>>>> > >>>>>>Regards & Thanks > >>>>>>================ > >>>>>>Mahesh S Kudva > >>>>>> > >>>>>> > >>>>>> > >>>>>>------------------------------------------------------- > >>>>>>Robosoft Technologies - Partners in Product Development > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>> > >>--------------------------------------------------------------------- > >> > >>>>>>To unsubscribe, e-mail: > >> > >>[EMAIL PROTECTED] > >> > >>>>>>For additional commands, e-mail: > >>>> > >>>>[EMAIL PROTECTED] > >>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>--------------------------------------------------------------------- > >> > >>>>>To unsubscribe, e-mail: > >> > >>[EMAIL PROTECTED] > >> > >>>>>For additional commands, e-mail: > >> > >>[EMAIL PROTECTED] > >> > >>> > >>> > >>>------------------------------------------------------- > >>>Robosoft Technologies - Partners in Product Development > >>> > >>> > >>> > >>>-------------------------------------------------------------------- > - > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >> > >> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > ------------------------------------------------------- > > Robosoft Technologies - Partners in Product Development > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] ------------------------------------------------------- Robosoft Technologies - Partners in Product Development --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]