the tomcats logs have no errors in them, they end after start up (I haven't installed any apps yet, just trying to get to the tomcat manager with ssl)
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" keystoreFile="/server.ks" keystorePass="MC126801$" sslProtocol="TLS" /> I configured the tomcat keystore as follows (openssl commands included): [1] create folders c:\ssl\ca, c:\ssl\server and c:\ssl\client and ca.srl with 02 [2] openssl req -new -newkey rsa:1024 -nodes -out c:\ssl\ca\ca.csr -keyout c:\ssl\ca\ca.key -config "C:\ssl\openssl.cnf" country=US state=newyork city=fishkill organization_name=myca organization_unit=myca common_name=myca email=racarl...@medaicomcc.com [3] openssl x509 -trustout -signkey c:\ssl\ca\ca.key -days 365 -req -in c:\ssl\ca\ca.csr -out c:\ssl\ca\ca.pem [4] keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file C:\ssl\ca\ca.pem -alias my_ca **[5] keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore C:\ssl\server\server.ks -storetype JKS What is your first and last name? myserver.localhost.com What is the name of your organizational unit? mycompany What is the name of your organization? mycompany What is the name of your City or Locality? fishkill What is the name of your State or Province? newyork What is the two-letter country code for this unit? US **[6] keytool -certreq -keyalg RSA -alias tomcat -file C:\ssl\server\server.csr -keystore C:\ssl\server\server.ks [7] amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" [8] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key -CAserial C:\ssl\ca\ca.srl -req -in C:\ssl\server\server.csr -out C:\ssl\server\server.crt -days 365 **[9] keytool -import -alias tomcat -keystore C:\ssl\server\server.ks -trustcacerts -file C:\ssl\server\server.crt **[10] keytool -import -alias my_ca -keystore C:\ssl\server\server.ks -trustcacerts -file C:\ssl\ca\ca.pem [11] openssl req -new -newkey rsa:512 -nodes -out C:\ssl\client\client1.req -keyout C:\ssl\client\client1.key Country Name ? US State or Province Name ? newyork Locality Name (eg, city) ? fishkill Organization Name ? mycompany Organizational Unit Name ? mycompany Common Name (eg, YOUR name) ? localhost <-- this value is in tomcat-users.xml Email Address ? racarl...@mediacomcc.com [12] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key -CAserial C:\ssl\ca\ca.srl -req -in C:\ssl\client\client1.req -out C:\ssl\client\client1.pem -days 365 [13] openssl pkcs12 -export -clcerts -in C:\ssl\client\client1.pem -inkey C:\ssl\client\client1.key -out C:\ssl\client\client1.p12 -name "my_client_certificate" I also tried importing the client.pem and apache.pem from below into the keystore (not change in error) openssl pkcs12 -in c:\ssl\client\client1.p12 -out c:\ssl\client\apache.pem -nodes -passin pass:MC126801$ ________________________________________ From: users-return-214164-racarlson=mediacomcc....@tomcat.apache.org [users-return-214164-racarlson=mediacomcc....@tomcat.apache.org] On Behalf Of Pid [...@pidster.com] Sent: Wednesday, June 30, 2010 5:25 PM To: Tomcat Users List Subject: Re: need help setting up tomcat with ssl client authentication On 30/06/2010 22:07, Ralph Carlson wrote: > tomcat version 6.0.20 > os: windows xp sp3 professional edition > sun java jdk 1.5.11 > > I am trying to do the following > (a) create a certificate authority and self sign server and client > certificates using openssl and keytool > (b) import the keytool keystore into tomcat > (c) verify the certificate chaing using openssl verify (which does work and > returns ok for all 3 certificates) > (d) have client Authorization on - with it off tomcat ssl works just fine, > when its turned on I get this error Which error? What is in the Tomcat logs when the problem occurs? > so far I have been following the steps listed in this tomcat user group > message > http://marc.info/?l=tomcat-user&m=106293430225790&w=2 How did you configure Tomcat to use the certificates in (b)? What is your Tomcat Connector config in server.xml? p > but get this message from openssl s_client -cert c:\ssl\client\client.pem > -CAfile c:\ssl\ca\ca.pem -connect localhost:443 > > 3772:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46 > 3772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake > failure:.\ssl\s23_lib.c:188: > > and these messages from firefox (after importing the certificate) > initially 'sslv3 alert certificate unknown' , then just 'SSL peer was not > expecting a handshake message it received' after a few tries > > does anyone know how to do this or has anyone done this before, > thanks for you help in advance > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org