Hi Bill: Indeed. Mark's comments put me on the track again, searching for something simpler and more direct than calling openssl or subclassing a provider, and I found this article, which demonstrates how to create a client certificate and sign it using a self-signed root certificate, like the ones you produce with keytool:
http://www.mayrhofer.eu.org/Default.aspx?pageindex=4&pageid=39 I made some minor adjustments to the code, and it worked fine, still have to test several things, but the client certificate was generated and the issuer was set as expected. I still have to test the client-cert verification. The article's author (Rene Mayrhofer) used Bounce Castle component along with JCE. The code can be easily encapsulated to be used in a web application. Thanks to all for your comments and suggestions, especially Mark. I must say that judging by what I found in the tomcat-list archives, this time the question got a lot more [useful] feedback than in the recent past. Lucky I am. Regards. On 6/11/07, Bill Barker <[EMAIL PROTECTED]> wrote:
"Ronald Spiers" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi Pulkit, assuming that I can create the trustManager, I am not sure > about how to register it with Tomcat, and if I need to implement more > interfaces, etc. > > In short, I suspect other people already solved this problem, and > since it will be my first time, I am trying to obtain their feedback > and suggestions to avoid common pitfalls. > > You are right, I already have a clue in the JSSE docs, but I am > looking for a little bit more advice - if possible. > > And as Mark's reply pointed out, I may not be using the certificate > mechanism in the best way. That's also the kind of feedback I am > looking for. > Yes, as Mark has pointed out the usual way to solve this is to have your own CA certificate imported into the truststoreFile, and use that to sign all of the certificates that you issue. Then any certificate that you issue will be verified without you having to do anything fancy. To do this the hard way, you can either: a) implement your own trust management algorithm, and pass that as the truststoreAlgorithm on the <Connector /> b) implement your own SSLImplementation (probably by extending the JSSE one in Tomcat), and override JSSE14SocketFactory.getTrustManagers > Thans for your reply. > > > On 6/11/07, Pulkit Singhal <[EMAIL PROTECTED]> wrote: >> Hello, >> >> I am not sure what you are asking for here. You say that you fond some >> instructions on "Creating Your Own X509TrustManager" ... thats good. >> 1) Given that you have these instructions, whats the issue at hand? >> Conceptually (and without even looking at any content other than the >> title) >> I would chime-in and say that it sounds like ... if you can create your >> own >> TrustManager then you most likely make dynamic additions to it. >> 2) Or may be you have yet to implement any such solution and are still >> lookign for pre-provided alternatives? >> >> There are always modules like EJBCA(http://ejbca.sourceforge.net/) that >> you >> might want to have a look at, I think it can be deployed on Tomcat. >> >> On 6/11/07, Ronald Spiers <[EMAIL PROTECTED]> wrote: >> > >> > Hi, I am preparing a self enrollment webapp for generating client >> > certificates and adding them to the server keystore. I know that >> > Tomcat won't reload keystore unless the server is restarted, so I did >> > look for alternatives, and the JSSE guide explains an approach to this >> > in the section "Creating Your Own X509TrustManager". >> > >> > My question is: Does anybody in this list have some experience solving >> > this problem?, providing tomcat a custom trust manager to dynamically >> > add a client certificate to the verification path when client >> > credentials are presented? >> > >> > Can self-enrollment be done using Tomcat and JSSE? maybe it can't be >> > done I am just wasting my time ;) I have searched a lot in the last 3 >> > days, tomcat list archives and other materials, I have not found a >> > single solution to this problem, except for the JSSE guide and this >> > article, that explains how to create a trustManager and a SSLContext >> > for implementing S/MIME with JavaMail: >> > >> > * http://www.javaworld.com/javatips/jw-javatip115.html >> > >> > Thanks a lot for any feedback you can provide. >> > >> > Regards, >> > Martin >> > >> > --------------------------------------------------------------------- >> > To start a new topic, e-mail: users@tomcat.apache.org >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
