Hi Peter,
Thanks for your reply. We can all use a day off now and then :-)
In the meantime I have cracked the nut...! Yes, really!! Last night I
succeeded in sending a self-generated certificate from IE to Tomcat that
was verified and accepted and let me in on the site. I still have to sort
out the exact chain of events that led to this discovery, and will mail
them to you and the list once I've got them in correct order. Here are some
hints though:
In retrospect, I did make some mistakes along the way, such as installing
my private self-issued certificate in the IE keystore WITHOUT the private
key. In other words, I installed the certificate by converting it into DER
format, and then importing it into IE. Wrong!
What you MUST do is to combine both the certificate AND the private key
into a PKCS#12 format (using "openssl pkcs12"), and then install that in
IE. Once I did that it worked. This was apparently the reason for the SSL
handshake failure that we both have seen. You should verify if this solves
your problem too.
NB. To install other peoples certificates, as well as CA and server
certificates, one should still only install the certificate in DER format,
WITHOUT the key. Particularly for your own CA certificate ;-)
However other things I did prior to that may have attributed to the process
too, this is what I need to sort out. One thing I found was that IE does
not like keys longer than 1024 bits. I experimented with 512 bit keys right
before I succeeded, so that may have left some files in a different order.
Of other noteworthy observations: you MUST use your own CA certificate to
sign EVERYTHING (server + clients), AND the CA certificate should be
installed in the Tomcat JKS keystore (used for client cert validation), AND
the CA cert should also be in the trusted CA's file under JRE (used for
client cert selection in IE).
A tricky part is to create a "keyEntry" certificate in the JKS keystore for
Tomcat; if you just create your own key + cert and install that in the
keystore using keytool, it will show up as a "trustedCertEntry", because
the private key is not imported. So, you actually start out by creating the
JKS certificate following the guidelines for keytool, then you create a
CERTREQ using keytool, and then you sign that request using your own CA
cert. Finally you import the signed cert back into the keystore (this is
the only time keytool allows you to import a certificate which already
exists in the keystore!), and voila! you have a self-CA-signed cert for
Tomcat.
(If you know of ways to import a private key for en existing certificate in
a JKS please let me know.)
Hope these intial comments helps. Otherwise stay tuned for the HOW-TO :-)
Regards -
Henrik Schultz
Senior Systems Architect
Consultant to Maersk Data AS
Tel.: +45 39 10 21 13
Mobile: +45 22 12 24 29
E-mail: [EMAIL PROTECTED]
"Peter Werno" To: "Henrik Schultz"
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED] cc:
m> Subject: Re: Tomcat 4 - OpenSSL - IE
client certificate works partially
02-07-2002
20:30
Hello Henrik,
sorry for not getting back to you, I had a day off :-)
I will try to change the Server-Certificate to a "real" (ca-issued)
certificate tomorrow and let you know if it works. I have previously
used Apache as the webserver and mod_webapp to publish my
Web-Applications through to the user.
This has always worked fine, however, I have never tried with anything
else than a "real" cert in this configuration.
If you would like to try Apache, I can recommend the mod_ssl -
documentation, it is very detailed on how to set up Apache for SSL.
Regards,
Peter
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
