Re: Export CACertificate to Tomcat (Apache Users)

Re: Export CACertificate to Tomcat

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: ravi kumar <ravindra_luv23@xxxxxxxxxxx>

Subject: Re: Export CACertificate to Tomcat

From: Tina Exner <texner@xxxxxxxxxxxxxx>

Date: Fri, 6 Aug 2010 10:27:36 +0200

Cc: users@xxxxxxxxxxxxxxxx

In-reply-to: <833334.37706.qm@xxxxxxxxxxxxxxxxxxxxxxxxx>

Organization: picturesafe /media/data/bank GmbH

Reply-to: users@xxxxxxxxxxxxxxxx

Reply-to: "Exner, Tina" <texner@xxxxxxxxxxxxxx>

User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.11) Gecko/20100711 Lightning/1.0b1 Thunderbird/3.0.6

thank you very mutch for your reply!

that works for me!

:-)

Am 05.08.2010 17:41, schrieb ravi kumar:

Hi,

Confirm if u want certificate for apache or tomcat?
If it is apache then "filename.crt" file will work, but if it is for tomcat then u will need
"filename.keystore" is required.

Below command is used to generate .key file in Linux using phase key

openssl genrsa -des3 1024 > filename.key

Below command is used to generate csr file in Linux

openssl req -new -key /root/csr/filename.key > filename.csr

==========================================

Step 1: Generate a keystore in pkcs12 format using the Certificate (.crt) and the Private Key (.key) files

openssl pkcs12 -in <yourfile.crt> -inkey <yourfile.key> -export -out <keystore name> -name tomcat

The keystore file will be generated into the folder where OpenSSL binary is located

Step 2: Once the keystore is generated, configure the SSL factory in server.xml file to use it

Example:

<clientAuth="false" sslprotocol="TLS" keystoreFile="C:\Program\tomcat/keystore" keystorePass="mypassword" truststorePass="mypassword" keystoreType="pkcs12" />

Note :- Sometimes providerroot file is required.
Ex. If i purchased my certificate from "thawte" then i will
require "thawteroot.csr" and will merge this with my "filename.csr" and install on the server.

Hope above solution works for you.

Thanks,
Ravi

--- On Thu, 5/8/10, Tina Exner <texner@xxxxxxxxxxxxxx> wrote:

From: Tina Exner <texner@xxxxxxxxxxxxxx>
Subject: Re: Export CACertificate to Tomcat
To: users@xxxxxxxxxxxxxxxx
Date: Thursday, 5 August, 2010, 3:49 PM

did nobody know a solution for this problem?

hi all,

we have a nexus multiid server for certificate authentication.
i try to pass the client smartcard certificates from apache to tomcat server.
the tomcat talks to the nexus and the authentication take effect.

when i try to export the client ca certificate to the tomcat server
i get the following errors:

[Mon Aug 02 15:36:40 2010] [error] [client] Certificate Verification: Error (20): unable to get local issuer certificate
[Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation handshake failed: Not accepted by client!?

@Firefox:
(Fehlercode: ssl_error_unknown_ca_alert)

this is my ssl configuration:

<IfModule ssl_module>
          SSLVerifyClient none
          SSLVerifyDepth 5

          #SSLOptions +ExportCertData +StrictRequire +StdEnvVars +FakeBasicAuth
          SSLOptions +ExportCertData

          #SSLCACertificateFile conf/ssl/Certificate.cer

      </IfModule>

       <Location /nexus>
                SSLVerifyClient         require
                SSLVerifyDepth          5

                #SSLCACertificateFile    /ps/apache2.2/testsystem1/conf/ssl/Certificate.crt
                #SSLOptions             +ExportCertData +StrictRequire +StdEnvVars +FakeBasicAuth
                SSLOptions              +ExportCertData +StdEnvVars
                #SSLRequireSSL
       </Location>

my jk.conf:

JkExtractSSL          On
JkHTTPSIndicator      HTTPS
JkSESSIONIndicator    SSL_SESSION_ID
JkCIPHERIndicator     SSL_CIPHER
JkCERTSIndicator      SSL_CLIENT_CERT
JkEnvVar              SSL_CLIENT_CERT SSL_CLIENT_CERT
JkOptions             +ForwardSSLCertChain

i use apache 2.2.13-3 and openssl 0.9.8a.

Any hints on what might have gone wrong will be highly useful.

regards
Tin