the tomcats logs have no errors in them, they end after start up (I haven't
installed any apps yet, just trying to get to the tomcat manager with ssl)
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true"
keystoreFile="/server.ks"
keystorePass="MC126801$"
sslProtocol="TLS" />
I configured the tomcat keystore as follows (openssl commands included):
[1] create folders c:\ssl\ca, c:\ssl\server and c:\ssl\client and ca.srl
with 02
[2] openssl req -new -newkey rsa:1024 -nodes -out c:\ssl\ca\ca.csr -keyout
c:\ssl\ca\ca.key -config "C:\ssl\openssl.cnf"
country=US
state=newyork
city=fishkill
organization_name=myca
organization_unit=myca
common_name=myca
email=racarl...@medaicomcc.com
[3] openssl x509 -trustout -signkey c:\ssl\ca\ca.key -days 365 -req -in
c:\ssl\ca\ca.csr -out c:\ssl\ca\ca.pem
[4] keytool -import -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file
C:\ssl\ca\ca.pem -alias my_ca
**[5] keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
C:\ssl\server\server.ks -storetype JKS
What is your first and last name? myserver.localhost.com
What is the name of your organizational unit? mycompany
What is the name of your organization? mycompany
What is the name of your City or Locality? fishkill
What is the name of your State or Province? newyork
What is the two-letter country code for this unit? US
**[6] keytool -certreq -keyalg RSA -alias tomcat -file C:\ssl\server\server.csr
-keystore C:\ssl\server\server.ks
[7] amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE
REQUEST"
[8] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key -CAserial
C:\ssl\ca\ca.srl -req -in C:\ssl\server\server.csr -out
C:\ssl\server\server.crt -days 365
**[9] keytool -import -alias tomcat -keystore C:\ssl\server\server.ks
-trustcacerts -file C:\ssl\server\server.crt
**[10] keytool -import -alias my_ca -keystore C:\ssl\server\server.ks
-trustcacerts -file C:\ssl\ca\ca.pem
[11] openssl req -new -newkey rsa:512 -nodes -out C:\ssl\client\client1.req
-keyout C:\ssl\client\client1.key
Country Name ? US
State or Province Name ? newyork
Locality Name (eg, city) ? fishkill
Organization Name ? mycompany
Organizational Unit Name ? mycompany
Common Name (eg, YOUR name) ? localhost <-- this value is in
tomcat-users.xml
Email Address ? racarl...@mediacomcc.com
[12] openssl x509 -CA C:\ssl\ca\ca.pem -CAkey C:\ssl\ca\ca.key
-CAserial C:\ssl\ca\ca.srl -req -in C:\ssl\client\client1.req -out
C:\ssl\client\client1.pem -days 365
[13] openssl pkcs12 -export -clcerts -in C:\ssl\client\client1.pem
-inkey C:\ssl\client\client1.key -out C:\ssl\client\client1.p12 -name
"my_client_certificate"
I also tried importing the client.pem and apache.pem from below into the
keystore (not change in error)
openssl pkcs12 -in c:\ssl\client\client1.p12 -out c:\ssl\client\apache.pem
-nodes -passin pass:MC126801$
________________________________________
From: users-return-214164-racarlson=mediacomcc....@tomcat.apache.org
[users-return-214164-racarlson=mediacomcc....@tomcat.apache.org] On Behalf Of
Pid [...@pidster.com]
Sent: Wednesday, June 30, 2010 5:25 PM
To: Tomcat Users List
Subject: Re: need help setting up tomcat with ssl client authentication
On 30/06/2010 22:07, Ralph Carlson wrote:
> tomcat version 6.0.20
> os: windows xp sp3 professional edition
> sun java jdk 1.5.11
>
> I am trying to do the following
> (a) create a certificate authority and self sign server and client
> certificates using openssl and keytool
> (b) import the keytool keystore into tomcat
> (c) verify the certificate chaing using openssl verify (which does work and
> returns ok for all 3 certificates)
> (d) have client Authorization on - with it off tomcat ssl works just fine,
> when its turned on I get this error
Which error? What is in the Tomcat logs when the problem occurs?
> so far I have been following the steps listed in this tomcat user group
> message
> http://marc.info/?l=tomcat-user&m=106293430225790&w=2
How did you configure Tomcat to use the certificates in (b)?
What is your Tomcat Connector config in server.xml?
p
> but get this message from openssl s_client -cert c:\ssl\client\client.pem
> -CAfile c:\ssl\ca\ca.pem -connect localhost:443
>
> 3772:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
> 3772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:.\ssl\s23_lib.c:188:
>
> and these messages from firefox (after importing the certificate)
> initially 'sslv3 alert certificate unknown' , then just 'SSL peer was not
> expecting a handshake message it received' after a few tries
>
> does anyone know how to do this or has anyone done this before,
> thanks for you help in advance
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
