Best IT Recipes

Tomcat Server / Client Self-signed SSL Certificate

I have an Apache Tomcat 6.x server working with a self-signed SSL certificate. I want the client to submit their certificate to the server so that I can authenticate them based on the user database. Iā€™m all working on an example that I found on the Internet, but in the example there are canned certificates and a JKS data warehouse with a pre-build. I want to create my own data warehouse with my certificates, but I'm out of luck.

How to create a data warehouse for Tomcat? How to create a self-signed certificate for Tomcat?

How to create a self-signed certificate for a client?
How to make Tomcat trust client signatures?

I have been playing with java keytool for many hours.

+42
ssl tomcat ssl-certificate self-signed keytool
Jul 24 '09 at 21:59
source share
4 answers

I finally got a solution to my problem, so I will post the results here if anyone gets stuck.

Thanks to Michael Martin Michael Software Thoughts and Ramblings I found that:

keytool uses the DSA algorithm by default when generating a self-signed certificate. Earlier versions of Firefox accepted these keys without a problem. With Firefox 3 beta 5, using DSA does not work, but using RSA does. Passing "-keyalg RSA" when generating a self-signed certificate creates a certified Firefox 3 beta 5 fully accepts.

I just set this flag, cleared all the caches in FireFox, and it worked like a charm! I use this as a test setup for my project, and I need to share it with other people, so I wrote a small batch of script that creates two SSL certificates. You can add Tomcat to the program, and another .p12 file, which can be imported into FireFox / IE. Thank!

Usage: The first command line argument is the client username. All passwords are a "password" (without quotes). Modify any of the hard-coded bits to suit your needs.

@echo off if "%1" == "" goto usage keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password keytool -list -v -keystore server.jks -storepass password del %1.cer goto end :usage echo Need user id as first argument: generate_keystore [username] goto end :end pause

Results consist of two files. One of them is called server.jks, which you drop into Tomcat and another file called {username} .p12, which you import into your browser. The server.jks file has a client certificate added as a trusted certificate.

I hope someone finds this helpful.

And here is the XML you need to add to your Tomcat conf / sever.xml file (tested only on Tomcat 6.x)

 <Connector clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${catalina.home}/conf/server.jks" keystoreType="JKS" keystorePass="password" truststoreFile="${catalina.home}/conf/server.jks" truststoreType="JKS" truststorePass="password" SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS" />

For Tomcat 7:

 <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" SSLEnabled="true" maxThreads="200" scheme="https" secure="true" keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password" clientAuth="false" sslProtocol="TLS" />
+59
Jul 27 '09 at 16:56
source share

To enable client authentication, you need to specify a "trust store" for Tomcat: a key store containing certificates from root certificate authorities that you trust, each of which is marked as "trustEntry".

This is determined by the attributes of the Connector element: truststoreFile , truststorePass (which defaults to keystorePass ) and truststoreType (default is "JKS").

If the client uses a self-signed certificate, then its "root" CA is the certificate itself; it follows that you need to import the self-signed client certificate into the Tomcat trust store.

If you have many customers, this will quickly become a hassle. In this case, you may want to familiarize yourself with the signing of certificates for your customers. The Java keytool cannot do this, but all the necessary command line utilities are available in OpenSSL. Or you could take a look at something like EJBCA on a large scale.

Better yet, ask your customers to use an existing free CA, such as startcom.org . This does not always work for server certificates, since the StartCom certificate is not included in all browsers, but this situation has been canceled and the root StartCom certificate can be easily imported into the Tomcat trust store.

+3
Jul 24 '09 at 23:42
source share

Create Certificate:

 keytool -genkey -alias tomcat -keyalg RSA -keystore /home/bob/mykeystore

Enter all the data for the self-signed certificate that you need, then edit Tomcat server.xml and specify the key store properties on the SSL connector, for example:

 <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="/home/bob/mykeystore" clientAuth="false" sslProtocol="TLS" />

or follow the Tomcat docs ...

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

+2
Jul 24 '09 at 10:21
source share

The previous answers are useful to me, but don't have a shell tool version. So I wrote one.

key_gen.sh:

 #! /bin/bash # a key generator for https, basename=server key_algorithm=RSA password_key=123456 password_store=123456 country=US # clean - pre rm "${basename}.jks" # generate server side keytool -genkeypair -alias "${basename}cert" -keyalg $key_algorithm -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=${country}" -keypass $password_key -keystore "${basename}.jks" -storepass $password_store

For tomcat8 you can add the following configuration to server.xml :

  <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" acceptCount="75" keystoreFile="${catalina.home}/conf/server.jks" keystorePass="123456" />
+1
Apr 22 '15 at 11:57
source share


More articles:


All Articles