Hi all I sorted it out. Thanks for you help.
These are the steps I followed. Hope it helps someone. 1) perl CA.pl -newca (create a new CA) 2) perl CA.pl -newreq (new client request) 3) perl CA.pl -sign (sign the certificare request) 4) openssl rsa < newreq.pem > client_key.pem (extract the RSA key) 5) mv newreq.pem client_req.pem (renaming for your identification) 6) mv newcert.pem client_cert.pem (renaming for your identification) 7) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client.p12 (generate a pkcs12 certificate) 8) keytool -genkey -alias tomcat -keyalg RSA (generate your keystore) 9) keytool -certreq -keyalg RSA -alias tomcat -file tomcat.csr (generate a request for tomcat) 10) openssl x509 -req -CA democa/cacert.pem -CAkey democa/private/cakey.pem -extensions v3_ca -in tomcat.csr -inform DER - out tomcat.x509 -CAcreateserial (signs the tomcat certificate request with your CA) 11) keytool -import -alias MyRootCA -keystore JAVA_HOME/jre/lib/security/cacerts -file democa/cacert.pem (import CA selfsigned into the truststore) 12) keytool -import -alias tomcat -file tomcat.x509 Import both the democa/cacert.pem and client.p12 to the clients machine. In your server.xml file enable client authentication by changing clientauth="true" and that's it. Regards & Thanks ================ Mahesh S Kudva -----Original Message----- From: "Mahesh S Kudva" <[EMAIL PROTECTED]> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> Date: Fri, 13 May 2005 22:26:59 +0530 Subject: Re: Client Authentication > Hi All > > Ho do i go about with clien Authentication > > Regards & Thanks > ================ > Mahesh S Kudva > > > -----Original Message----- > From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > Date: Tue, 10 May 2005 20:51:08 +0530 > Subject: Re: Client Authentication > > Hi All > > Nothing seems to work out for me whith client auth. Here is what 've > done > > CA and Certificates > 1) perl CA.pl -newca > 2) perl CA.pl -newreq > 3) perl CA.pl -sign > 4) openssl rsa < newreq.pem > server_key.pem > 5) mv newcert.pem server_cert.pem > 6) mv newreq.pem server_req.pem > 7) perl CA.pl -newreq > 8) perl CA.pl -sign > 9) mv newreq.pem client_req.pem > 10) mv newcert.pem client_cert.pem > 11) openssl rsa < client_req.pem > client_key.pem > 12) openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem > -out > client.p12 > 13) openssl x509 -in server_cert.pem -out server.x509 > 14) openssl pkcs12 -export -in server_cert.pem -inkey server_key.pem > -out server.p12 > 15) keytool -genkey -alias tomcat -storepass changeit > 16) keytool -import -alias TomcatCA -file demoCA/cacert.pem > > I then import the CA's self signed certificate to the clients machine > along with the p12 certficicate > > My Tomcat-users.xml file > > <tomcat-users> > <role rolename="tomcat"/> > <role rolename="role1"/> > <role rolename="manager"/> > <role rolename="certs"/> > <role rolename="admin"/> > <user username="mahesh" password="mahesh" roles="admin,manager"/> > <user username="CN=Mahesh, OU=SAD, O=Robosoft, L=UDP, ST=Kar, C=IN" > password="" > roles="tomcat,certs"/> > <user username="tomcat" password="tomcat" roles="tomcat"/> > <user username="role1" password="tomcat" roles="role1"/> > <user username="both" password="tomcat" roles="tomcat,role1"/> > </tomcat-users> > > > > Where am i going wrong? Even if the certificates are in the client's > mcahine the certificates identity windows alowys pop's up > > > > Regards & Thanks > ================ > Mahesh S Kudva > > > -----Original Message----- > From: Mark Thomas <[EMAIL PROTECTED]> > To: Tomcat Users List <tomcat-user@jakarta.apache.org> > Date: Tue, 03 May 2005 23:00:57 +0100 > Subject: Re: Client Authentication > > > The CN for your server cert can be anything you like but you will get > a > > warning in your browser if the CN differs from how you express it in > > the > > URL. > > > > The user needs to look something like this > > <user username="CN=Mark Thomas, OU=Jakarta, O=Apache, L=London, C=GB" > > password="null" roles="tomcat,certs"/> > > in tomcat-users. It must be the full DN of the user certificate. > > > > HTH, > > > > Mark > > > > Mahesh S Kudva wrote: > > > Hi > > > > > > It seems like a silly question. But I am new to SSL and > Certificates > > as > > > well as Tomcat. > > > > > > If my machines IP is 192.168.0.1 then I access tomcat as > > > https://192.168.0.1:8443. Keeping this mind should I give the > Common > > Name > > > as 192.168.0.1 ??? > > > > > > How do I specify the client info in the tomcat-users.xml? > > > > > > <user name=mahesh password=kudva role="admin"> > > > > > > This is how my tomcat-users.xml file looks like. > > > > > > Regards & Thanks > > > ================ > > > Mahesh S Kudva > > > > > > > > > -----Original Message----- > > > From: "lercoli" <[EMAIL PROTECTED]> > > > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > > Date: Tue, 3 May 2005 14:33:46 +0200 > > > Subject: Re: Client Authentication > > > > > > > > >>CA and Tomcat common name should be the same (localhost or better > > your > > >>DNS). > > >>First and Last Name of client sould the name of a Tomcat user > > declared > > >>in > > >>tomcat-users.xml. > > >> > > >>Luca Ercoli > > >> > > >>----- Original Message ----- > > >>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > > >>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > >>Sent: Tuesday, May 03, 2005 1:41 PM > > >>Subject: Re: Client Authentication > > >> > > >> > > >> > > >>>Hi > > >>> > > >>>What kind of information do i need to put in the fields of First > and > > >> > > >>Last > > >> > > >>>name and Common name. Will any information do or is it required > that > > >> > > >>I > > >> > > >>>need to put in the server address in the client.p12 certificate.. > > >>> > > >>>Regards & Thanks > > >>>================ > > >>>Mahesh S Kudva > > >>> > > >>> > > >>>-----Original Message----- > > >>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > > >>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > >>>Date: Mon, 02 May 2005 23:04:50 +0530 > > >>>Subject: Re: Client Authentication > > >>> > > >>> > > >>>>Hi > > >>>> > > >>>>I tried with client.p12 first, when i failed I went on with > > >>>>client_cert.x509. I placed it in the personal folder ... > > >>>> > > >>>>Regards & Thanks > > >>>>================ > > >>>>Mahesh S Kudva > > >>>> > > >>>> > > >>>>-----Original Message----- > > >>>>From: "lercoli" <[EMAIL PROTECTED]> > > >>>>To: "Tomcat Users List" <tomcat-user@jakarta.apache.org> > > >>>>Date: Mon, 2 May 2005 17:31:54 +0200 > > >>>>Subject: Re: Client Authentication > > >>>> > > >>>> > > >>>>>You should import only client.p12 certificate in IE browser and > > >>>>>when IE asks you in which folder you want to put it select > > >> > > >>Personal > > >> > > >>>>>Folder. > > >>>>> > > >>>>>I hope it helps you. > > >>>>> > > >>>>>Luca Ercoli > > >>>>> > > >>>>> > > >>>>>----- Original Message ----- > > >>>>>From: "Mahesh S Kudva" <[EMAIL PROTECTED]> > > >>>>>To: <tomcat-user@jakarta.apache.org> > > >>>>>Sent: Monday, May 02, 2005 5:08 PM > > >>>>>Subject: Client Authentication > > >>>>> > > >>>>> > > >>>>> > > >>>>>>Dear All > > >>>>>> > > >>>>>>I've been able to setup Tomcat 5.0.30 successfully on port > > >> > > >>8443. I > > >> > > >>>>>want to > > >>>>> > > >>>>>>use client authentication. Hence i've enabled clientAuth=true > > >> > > >>in > > >> > > >>>>>>server.xml > > >>>>>> > > >>>>>>Running on Mac OS X these were the commands to create a CA and > > >> > > >>sign > > >> > > >>>>a > > >>>> > > >>>>>>certificate using this CA. > > >>>>>> > > >>>>>>Creating a new CA: > > >>>>>>1) perl CA.pl -newca > > >>>>>> > > >>>>>>Certificate request using openssl: > > >>>>>>1) perl CA.pl -newreq > > >>>>>>2) perl CA.pl -sign > > >>>>>>3) mv newreq.pem client_req.pem > > >>>>>>4) mv newcert.pem client_cert.pem > > >>>>>>5) openssl rsa < client_req.pem > client_key.pem > > >>>>>>6) openssl pkcs12 -export -in client_cert.pem -inkey > > >> > > >>client_key.pem > > >> > > >>>>>-out > > >>>>> > > >>>>>> client.p12 > > >>>>>> > > >>>>>>For Tomcat using Java keytool to request certificate: > > >>>>>>1) openssl x509 -in server_cert.pem -out server.x509 > > >>>>>>2) openssl pkcs12 -export -in server_cert.pem -inkey > > >> > > >>server_key.pem > > >> > > >>>>>> -out server.p12 > > >>>>>>3) keytool -genkey -alias meAsClient -storepass changeit > > >>>>>>4) keytool -certreq -alias measclient -file client.csr > > >> > > >>-storepass > > >> > > >>>>>changeit > > >>>>> > > >>>>>>5) openssl x509 -req -CA demoCA/cacert.pem -CAkey > > >>>>>> demoCA/private/cakey.pem -extensions v3_ca -in client.csr > > >>>> > > >>>>-inform > > >>>> > > >>>>>DER > > >>>>> > > >>>>>> -out client_cert.x509 -CAcreateserial > > >>>>>>6) keytool -import -alias butterflyCA -keystore /Syst.. > > >>>>> > > >>>>>..urity/cacerts > > >>>>> > > >>>>>> -file ../CA/demoCA/cacert.pem > > >>>>>>7) keytool -import -alias measclient -keystore clientstore > > >>>>> > > >>>>>-trustcacerts > > >>>>> > > >>>>>> -file client_cert.x509 > > >>>>>> > > >>>>>> > > >>>>>>Following these commands I dont get any errors. I then import > > >> > > >>the > > >> > > >>>>>>cacert.pem, the ROOT CA certificate and the client.p12 and > > >>>>>>client_cert.x509 to the browser I.E 6.0. But still there is a > > >> > > >>popup > > >> > > >>>>>>requesting for the clients identity and it asks me to select a > > >>>>>>certificate and no certificates are displayed. > > >>>>>> > > >>>>>>How can I go about this? > > >>>>>> > > >>>>>> > > >>>>>>All suggestion and ideas are welcome. > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>Regards & Thanks > > >>>>>>================ > > >>>>>>Mahesh S Kudva > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>>------------------------------------------------------- > > >>>>>>Robosoft Technologies - Partners in Product Development > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>> > > > >>--------------------------------------------------------------------- > > >> > > >>>>>>To unsubscribe, e-mail: > > >> > > >>[EMAIL PROTECTED] > > >> > > >>>>>>For additional commands, e-mail: > > >>>> > > >>>>[EMAIL PROTECTED] > > >>>> > > >>>>>> > > >>>>>> > > >>>>> > > >>>>> > > >>>>> > > > >>--------------------------------------------------------------------- > > >> > > >>>>>To unsubscribe, e-mail: > > >> > > >>[EMAIL PROTECTED] > > >> > > >>>>>For additional commands, e-mail: > > >> > > >>[EMAIL PROTECTED] > > >> > > >>> > > >>> > > >>>------------------------------------------------------- > > >>>Robosoft Technologies - Partners in Product Development > > >>> > > >>> > > >>> > > > >>>-------------------------------------------------------------------- > > - > > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > > >>>For additional commands, e-mail: > [EMAIL PROTECTED] > > >>> > > >>> > > >>> > > >> > > >> > > >> > > > >>--------------------------------------------------------------------- > > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > > >>For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > ------------------------------------------------------- > > > Robosoft Technologies - Partners in Product Development > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > ------------------------------------------------------- > Robosoft Technologies - Partners in Product Development > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > ------------------------------------------------------- > Robosoft Technologies - Partners in Product Development > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] ------------------------------------------------------- Robosoft Technologies - Partners in Product Development --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
