 | Mailing List | | Home | | Forum Home | | JBoss - Java Application Server | | Struts - A MVC web framework | | Tomcat - JSP/Servlet container | | iText - An open source PDF Java Library | | JDOM - JDOM XML Parser | | J2EE - A mailing list for Java(tm) 2 Platform, Enterprise Edition | | J2EE Pattern - An interest list for Sun Java Center J2EE Pattern Catalog | | Servlet - A mailing list for discussion about Sun Microsystem's Java Servlet API Technology | | JSP - A mailing list about Java Server Pages specification and reference | |
Struts & Hibernate
|
|
|
| | | Problems getting SSL 2-Way Authentication to work | Problems getting SSL 2-Way Authentication to work 2004-01-26 - By Tamas Suto
Back
To whomever can help:
I'm trying to get a 2-way authentication mechanism working for Tomcat
4.1.29. I have browsed many archives and guides and have come up with some
steps of commands to try and get the whole business up and running (see
further down).
I basically have a server and a client and I want the server to present a
certificate to the client and vice versa, which the server then accepts and
the user gains access to the protected resources.
I am using an own CA (i.e. a self-signed one), which I employ to sign both
the server and the client certificates.
My problem is that even though the server seems to present to me the correct
certificate when I examine it (i.e. correctly signed by my own CA), I get an
error saying the following (using Mozilla to access the site):
"Could not establish an encrypted connection, because certificate presented
by <server> is invalid or corrupted. Error Code: -8182"
I looked this up in the Mozilla error codes database and it had the
annotation "Peer's certificate has an invalid signature".
I am really confused as to why this doesn't work. The exact steps I have
taken for the whole process are as follows:
==================
SETTING UP OWN CA
==================
1. Create directory "certificates" and subdirectories
- ca
- server
- client
2. Create private key and certificate request for our own CA: (from root
dir)
openssl req -new -newkey rsa:1024 -nodes -out certificates/ca/ca.csr -keyout
certificates/ca/ca.key -config /homes/ts200m/certificates/openssl.cnf
Country Name [C] = GB
State/Province Name [ST] = London
Locality Name [L] = London
Organization Name [O] = Imperial College London
Organizational Unit Name [OU] = London e-Science Centre
Common Name [CN] = ca.lesc.ic.ac.uk
EMail Address [Email] = lesc@(protected)
Challenge Password = changeit
3. Create our CA's self-signed certificate:
openssl x509 -trustout -signkey certificates/ca/ca.key -days 365 -req -in
certificates/ca/ca.csr -out certificates/ca/ca.pem
cp certificates/ca/ca.pem certificates/ca/ca.crt
vim certificates/ca/ca.crt
edit "ca.crt" so that strings "TRUSTED CERTIFICATE" read "CERTIFICATE"
4. Copy JDK Certificate Authorities Keystore into Tomcat root dir:
cp $JAVA_HOME/jre/lib/security/cacerts tomcat/
chmod 0755 tomcat/cacerts
5. Import CA certificate into "cacerts":
keytool -import -trustcacerts -keystore tomcat/cacerts -file
certificates/ca/ca.pem -alias LeSC-CA
Keystore Password = changeit
Should get "Certificate was added to keystore" message
6. Create file to hold CA's serial numbers:
echo "02" > certificates/ca/ca.srl
======================
SETTING UP WEB SERVER
======================
1. Create keystore for server:
(This creates a keystore, as well as a self-signed certificate with the
details provided)
keytool -genkey -alias server -dname "CN=epic-server.lesc.ic.ac.uk,
O=Imperial College London, OU=London e-Science Centre, L=London, S=London,
C=GB" -keysize 1024 -keystore certificates/server/server.ks -keypass
changeit -storepass changeit -storetype JKS -validity 365
2. Create certificate request for web server:
keytool -certreq -keystore certificates/server/server.ks -storepass changeit
-alias server -file certificates/server/server.csr
3. Sign certificate request with own CA:
openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key
-CAserial certificates/ca/ca.srl -req -in certificates/server/server.csr
-out certificates/server/server.crt -days 365
4. Import CA certificate into keystore as root certificate: (don't know if
-trustcacerts is required...)
keytool -import -alias root -keystore certificates/server/server.ks
-storepass changeit -trustcacerts -keyalg RSA -file certificates/ca/ca.pem
Should see message "Certificate was added to keystore" after import
5. Import signed server certificate into server keystore:
(This should replace the self-signed cerificate with alias "server" that was
created when the keystore was created)
keytool -import -alias server -keystore certificates/server/server.ks
-storepass changeit -keyalg RSA -file certificates/server/server.crt
Should see message "Certificate reply was installed in keystore" after
import
6. Move keystore file to Tomcat's root dir:
mv certificates/server/server.ks tomcat/
chmod 0755 tomcat/server.ks
7. Set up SSL Connector for Tomcat (edit file tomcat/conf/server.xml):
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 55556 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector  "
port="55556" minProcessors="5" maxProcessors="75"
enableLookups="true" acceptCount="100" debug="0"
scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory "
clientAuth="true" protocol="TLS"
keystoreFile="server.ks" keystorePass="changeit"
truststoreFile="cacerts" truststorePass="changeit"/>
</Connector>
=====================
SET UP AN SSL CLIENT
=====================
1. Create a client certificate request
openssl req -new -newkey rsa:512 -nodes -out certificates/client/client1.req
-keyout certificates/client/client1.key -config
/homes/ts200m/certificates/openssl.cnf
Country Name = GB
State/Province Name = London
Locality Name = London
Organization Name = Imperial College
Organizational Unit Name = Department of Computing
Common Name = Tamas Suto
Email Address = ts200m@(protected)
Challenge Password = changeit
2. Have CA sign client cerificate:
openssl x509 -CA certificates/ca/ca.pem -CAkey certificates/ca/ca.key
-CAserial certificates/ca/ca.srl -req -in certificates/client/client1.req
-out certificates/client/client1.pem -days 365
3. Generate PKCS12 file containing client key and certificate:
openssl pkcs12 -export -clcerts -in certificates/client/client1.pem -inkey
certificates/client/client1.key -out certificates/client/client1.p12 -name
"EPIC Client Certificate"
Export Password = changeit
4. Import PKCS12 certificate file into browser and use as client certificate
and key
If anyone could help me spot where something has gone wron, I would be most
thankful. I have already spent weeks trying to get this working without any
success.
Thanks for any help in advance.
Best regards,
Tamas Suto
|
|
|
