thank you very mutch for your reply!
that works for me!
:-)
Am 05.08.2010 17:41, schrieb ravi kumar:
Hi,
Confirm if u want certificate for apache or tomcat?
If it is apache then "filename.crt" file will work, but if it is for
tomcat then u will need
"filename.keystore" is required.
Below command is used to generate .key file in Linux using phase key
openssl genrsa -des3 1024 > filename.key
Below command is used to generate csr file in Linux
openssl req -new -key /root/csr/filename.key > filename.csr
==========================================
*Step 1:* Generate a keystore in pkcs12 format using the Certificate
(.crt) and the Private Key (.key) files
*openssl pkcs12 -in <yourfile.crt> -inkey <yourfile.key> -export -out
<keystore name> -name tomcat*
The keystore file will be generated into the folder where OpenSSL
binary is located
*Step 2: *Once the keystore is generated, configure the SSL factory in
server.xml file to use it
*Example:*
* *
<clientAuth="false" sslprotocol="TLS"*
*keystoreFile="C:\Program\tomcat/keystore" keystorePass="mypassword"
truststorePass="mypassword"* *keystoreType="pkcs12" />
Note :- Sometimes providerroot file is required.
Ex. If i purchased my certificate from "thawte" then i will
require "thawteroot.csr" and will merge this with my "filename.csr"
and install on the server.
Hope above solution works for you.
Thanks,
Ravi
--- On *Thu, 5/8/10, Tina Exner /<tex...@picturesafe.de>/* wrote:
From: Tina Exner <tex...@picturesafe.de>
Subject: Re: [us...@httpd] Export CACertificate to Tomcat
To: users@httpd.apache.org
Date: Thursday, 5 August, 2010, 3:49 PM
did nobody know a solution for this problem?
hi all,
we have a nexus multiid server for certificate authentication.
i try to pass the client smartcard certificates from apache to
tomcat server.
the tomcat talks to the nexus and the authentication take effect.
when i try to export the client ca certificate to the tomcat server
i get the following errors:
[Mon Aug 02 15:36:40 2010] [error] [client] Certificate
Verification: Error (20): unable to get local issuer certificate
[Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation
handshake failed: Not accepted by client!?
@Firefox:
(Fehlercode: ssl_error_unknown_ca_alert)
this is my ssl configuration:
<IfModule ssl_module>
SSLVerifyClient none
SSLVerifyDepth 5
#SSLOptions +ExportCertData +StrictRequire +StdEnvVars
+FakeBasicAuth
SSLOptions +ExportCertData
#SSLCACertificateFile conf/ssl/Certificate.cer
</IfModule>
<Location /nexus>
SSLVerifyClient require
SSLVerifyDepth 5
#SSLCACertificateFile
/ps/apache2.2/testsystem1/conf/ssl/Certificate.crt
#SSLOptions +ExportCertData
+StrictRequire +StdEnvVars +FakeBasicAuth
SSLOptions +ExportCertData +StdEnvVars
#SSLRequireSSL
</Location>
my jk.conf:
JkExtractSSL On
JkHTTPSIndicator HTTPS
JkSESSIONIndicator SSL_SESSION_ID
JkCIPHERIndicator SSL_CIPHER
JkCERTSIndicator SSL_CLIENT_CERT
JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
JkOptions +ForwardSSLCertChain
i use apache 2.2.13-3 and openssl 0.9.8a.
Any hints on what might have gone wrong will be highly useful.
regards
Tin