Re: [users@httpd] Export CACertificate to Tomcat

Fri, 06 Aug 2010 01:27:34 -0700 


thank you very mutch for your reply!

that works for me!

 :-)


Am 05.08.2010 17:41, schrieb ravi kumar:


Hi,

Confirm if u want certificate for apache or tomcat?
If it is apache then "filename.crt" file will work, but if it is for tomcat then u will need 
"filename.keystore" is required.

Below command is used to generate .key file in Linux using phase key

openssl genrsa -des3 1024 > filename.key


Below command is used to generate csr file in Linux

openssl req -new -key /root/csr/filename.key > filename.csr


==========================================
*Step 1:* Generate a keystore in pkcs12 format using the Certificate (.crt) and the Private Key (.key) files
*openssl pkcs12 -in <yourfile.crt> -inkey <yourfile.key> -export -out <keystore name> -name tomcat*
The keystore file will be generated into the folder where OpenSSL binary is located
*Step 2: *Once the keystore is generated, configure the SSL factory in server.xml file to use it 


*Example:*

* *
<clientAuth="false" sslprotocol="TLS"* *keystoreFile="C:\Program\tomcat/keystore" keystorePass="mypassword" truststorePass="mypassword"* *keystoreType="pkcs12" /> 




Note :- Sometimes providerroot file is required.
Ex. If i purchased my certificate from "thawte" then i will
require "thawteroot.csr" and will merge this with my "filename.csr" and install on the server. 


Hope above solution works for you.


Thanks,
Ravi


--- On *Thu, 5/8/10, Tina Exner /<tex...@picturesafe.de>/* wrote:


    From: Tina Exner <tex...@picturesafe.de>
    Subject: Re: [us...@httpd] Export CACertificate to Tomcat
    To: users@httpd.apache.org
    Date: Thursday, 5 August, 2010, 3:49 PM


    did nobody know a solution for this problem?



    hi all,

    we have a nexus multiid server for certificate authentication.
    i try to pass the client smartcard certificates from apache to
    tomcat server.
    the tomcat talks to the nexus and the authentication take effect.

    when i try to export the client ca certificate to the tomcat server
     i get the following errors:

    [Mon Aug 02 15:36:40 2010] [error] [client] Certificate
    Verification: Error (20): unable to get local issuer certificate
    [Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation
    handshake failed: Not accepted by client!?

    @Firefox:
    (Fehlercode: ssl_error_unknown_ca_alert)


    this is my ssl configuration:

    <IfModule ssl_module>
              SSLVerifyClient none
              SSLVerifyDepth 5

              #SSLOptions +ExportCertData +StrictRequire +StdEnvVars
    +FakeBasicAuth
              SSLOptions +ExportCertData

              #SSLCACertificateFile conf/ssl/Certificate.cer

    </IfModule>

    <Location /nexus>
                    SSLVerifyClient         require
                    SSLVerifyDepth          5
#SSLCACertificateFile /ps/apache2.2/testsystem1/conf/ssl/Certificate.crt 
                    #SSLOptions             +ExportCertData
    +StrictRequire +StdEnvVars +FakeBasicAuth
                    SSLOptions              +ExportCertData +StdEnvVars
                    #SSLRequireSSL
    </Location>


    my jk.conf:

      JkExtractSSL          On
      JkHTTPSIndicator      HTTPS
      JkSESSIONIndicator    SSL_SESSION_ID
      JkCIPHERIndicator     SSL_CIPHER
      JkCERTSIndicator      SSL_CLIENT_CERT
      JkEnvVar              SSL_CLIENT_CERT SSL_CLIENT_CERT
      JkOptions             +ForwardSSLCertChain


    i use apache 2.2.13-3 and openssl 0.9.8a.

    Any hints on what might have gone wrong will be highly useful.

    regards
    Tin

Reply via email to