Hi, > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Palmer > Sent: Tuesday, February 26, 2002 12:58 PM > To: [EMAIL PROTECTED] > Subject: SSL Client authentication with standalone Tomcat > > > I'm trying to set up for a simple project client-authentication and CA > abilities, using standalone tomcat and openssl. I'm not having > luck. The short version is, when I enable clientAuth, I am unable to > connect to the server, getting various messages (in Mozilla 0.9.8, I > get no error messages but the page will not load, using openssl > s_client I get a write error). > > Forgive me in advance for this long message, but my hope is that by > explicitly stating what I'm doing, it will be easy for someone more > experienced to see where I'm going wrong. I've spent much of the last > 2 days searching online for information and trying different > approaches; most of the problems/solutions don't give a lot of details > > I've done the following: > > Step 1: Generate the tomcat request for certificate > keytool -genkey -alias tomcat -keyalg RSA > > keytool -certreq -alias tomcat -file my.csr > > Step 2: Generate the ca certificate > openssl req -new -newkey rsa:512 -nodes -out ca.req \ > -keyout ca.key > > openssl x509 -trustout -signkey ca.key -days 365 \ > -req -in ca.req -out ca.crt > > Step 3: Sign the tomcat request to generate tomcat certificate > openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \ > -out my.crt -req -CAcreateserial > > Step 4: Import both into my keystore > keytool -import -file ca.crt -alias RootCert > > keytool -import -file my.crt -alias tomcat >
I'm not sure its necessary, but I'd import last certificate with following command: keytool -import -trustcacerts -file my.crt -alias tomcat > I can then stop and restart tomcat, and non-client-authenticated https > works. I then go on to > > Step 5: Generate a client certificate > openssl req -new -newkey rsa:512 -nodes \ > -out client.req -keyout client.key > > openssl x509 -CA ca.crt -CAkey ca.key \ > -req -in client.req \ > -out client.crt > > I then enable clientAuth="true", and try to connect to tomcat using > the openssl s_client: > openssl s_client -cert client.crt -key client.key \ > -connect localhost:8443 > and get the following output: > CONNECTED(00000003) > depth=1 /C=US/ST=California/L=Stanford/O=Stanford > University/OU=CSD/CN=UStorit [EMAIL PROTECTED] > verify error:num=19:self signed certificate in certificate chain > verify return:0 > write:errno=104 > > Any ideas? Or ideas on how to debug this? (I'm coming up against a > deadline, so any hints much appreciated) > And I bet client certificate should be signed in specific way. Some guys mentioned that you can find some help at openSSL site. > -- > Brian Palmer > "Whoever fights monsters should see to it that in the process he does > not become a monster. And when you look long into an abyss, the abyss > also looks into you" - Nietzsche > > Anton -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>