Hi,
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Palmer
> Sent: Tuesday, February 26, 2002 12:58 PM
> To: [EMAIL PROTECTED]
> Subject: SSL Client authentication with standalone Tomcat
>
>
> I'm trying to set up for a simple project client-authentication and CA
> abilities, using standalone tomcat and openssl. I'm not having
> luck. The short version is, when I enable clientAuth, I am unable to
> connect to the server, getting various messages (in Mozilla 0.9.8, I
> get no error messages but the page will not load, using openssl
> s_client I get a write error).
>
> Forgive me in advance for this long message, but my hope is that by
> explicitly stating what I'm doing, it will be easy for someone more
> experienced to see where I'm going wrong. I've spent much of the last
> 2 days searching online for information and trying different
> approaches; most of the problems/solutions don't give a lot of details
>
> I've done the following:
>
> Step 1: Generate the tomcat request for certificate
> keytool -genkey -alias tomcat -keyalg RSA
>
> keytool -certreq -alias tomcat -file my.csr
>
> Step 2: Generate the ca certificate
> openssl req -new -newkey rsa:512 -nodes -out ca.req \
> -keyout ca.key
>
> openssl x509 -trustout -signkey ca.key -days 365 \
> -req -in ca.req -out ca.crt
>
> Step 3: Sign the tomcat request to generate tomcat certificate
> openssl x509 -CA ca.crt -CAkey ca.key -in my.csr \
> -out my.crt -req -CAcreateserial
>
> Step 4: Import both into my keystore
> keytool -import -file ca.crt -alias RootCert
>
> keytool -import -file my.crt -alias tomcat
>
I'm not sure its necessary, but I'd import last certificate with
following command:
keytool -import -trustcacerts -file my.crt -alias tomcat
> I can then stop and restart tomcat, and non-client-authenticated https
> works. I then go on to
>
> Step 5: Generate a client certificate
> openssl req -new -newkey rsa:512 -nodes \
> -out client.req -keyout client.key
>
> openssl x509 -CA ca.crt -CAkey ca.key \
> -req -in client.req \
> -out client.crt
>
> I then enable clientAuth="true", and try to connect to tomcat using
> the openssl s_client:
> openssl s_client -cert client.crt -key client.key \
> -connect localhost:8443
> and get the following output:
> CONNECTED(00000003)
> depth=1 /C=US/ST=California/L=Stanford/O=Stanford
> University/OU=CSD/CN=UStorit [EMAIL PROTECTED]
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> write:errno=104
>
> Any ideas? Or ideas on how to debug this? (I'm coming up against a
> deadline, so any hints much appreciated)
>
And I bet client certificate should be signed in specific way.
Some guys mentioned that you can find some help at openSSL
site.
> --
> Brian Palmer
> "Whoever fights monsters should see to it that in the process he does
> not become a monster. And when you look long into an abyss, the abyss
> also looks into you" - Nietzsche
>
>
Anton
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
