I am trying to get ssl working with
tomcat
I have ssl pem file in tomcat home c:\tomcat6
tomcat config looks like (non-apr version - I got an error whenever I used any apr dll file at startup)
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" SSLEngine="on" SSLPassword="mypassword"
keystoreFile="/tomcatkeystore" keystorePass="mypassword"
/>
I have generated my keys multiple times from isntructions on the internet and dont think they are the issue,
I used getty to put the pem files into the keystore and believe them to be ok, the openssl commands are below:
to
test I am using:
openssl s_client -cert h:\stuff2\client.pem -CAfile h:\stuff3\ca.pem -connect 1.2.3.4:443
here are the ssl commands:
# generate the certificate authority key (key)
openssl genrsa -out h:\stuff3\ca.key
# generate the certificate authority unsigned certificate (csr)
openssl req -new -key h:\stuff3\ca.key -out h:\stuff3\ca.csr
# create the signed certificate (crt)
openssl x509 -req -days 3650 -in h:\stuff3\ca.csr -signkey h:\stuff3\ca.key -out h:\stuff3\ca.crt
# generate the server key
openssl genrsa -out h:\stuff3\server.key
# generate the service unsigned certificate (csr)
openssl req -new -key h:\stuff3\server.key -out h:\stuff3\server.csr
# create the signed server certificate (crt) using the server unsigned certificate and ca signed certificate
openssl ca -in h:\stuff3\server.csr -cert h:\stuff3\ca.crt -keyfile h:\stuff3\ca.key -out h:\stuff3\server.crt
# generate a client key (key)
openssl genrsa -des3 -out h:\stuff3\client1.key 1024
# generate the client unsigned certificate (csr)
openssl req -new -key h:\stuff3\client1.key -out h:\stuff3\client1.csr
# sign the client key
openssl ca -in h:\stuff3\client1.csr -cert h:\stuff3\ca.crt -keyfile h:\stuff3\ca.key -out h:\stuff3\client1.crt
# convert the client certificate to pkcs12
openssl pkcs12 -export -clcerts -in h:\stuff3\client1.crt -inkey h:\stuff3\client1.key -out h:\stuff3\client1.p12
# convert the client certificate to pem
openssl pkcs12 -in client1.p12 -out client1.pem -nodes -passin pass:mypassword
# create a javakeystore out of the client
java -classpath h:\jetty-util-6.1.24.jar;h:\jetty-6.1.24.jar org.mortbay.jetty.security.PKCS12Import h:\stuff3\server.p12 h:\stuff3\tomcatkeystore
copy h:\stuff3\tomcatkeystore c:\tomcat6\
openssl pkcs12 -export -clcerts -in h:\stuff3\ca.crt -inkey h:\stuff3\ca.key -out h:\stuff3\ca.p12
openssl pkcs12 -in h:\stuff3\ca.p12 -out h:\stuff3\ca.pem -nodes -passin pass:mypassword
openssl pkcs12 -export -clcerts -in h:\stuff3\server.crt -inkey h:\stuff3\server.key -out h:\stuff3\server.p12
openssl pkcs12 -in h:\stuff3\server.p12 -out h:\stuff3\server.pem -nodes -passin pass:mypassw
to test I am using:
openssl s_client -cert h:\stuff3\client1.pem -CAfile h:\stuff3\ca.pem -connect myhost.com:443
the error I get is below:
C:\Openssl-0.9.8l-Win32\bin>openssl s_client -cert h:\stuff3\client1.pem -CAfile h:\stuff3\ca.pem -connect myhost.com:443
Loading 'screen' into random state - done
CONNECTED(00000774)
depth=1 /C=US/ST=New York/L=MyCompany/O=MyCompany/OU=MyCompany/CN=MyCompanyCA/emailAddress=someone@yahoo.com
verify return:1
depth=0 /C=US/ST=New York/O=MyCompany/OU=MyCompany/CN=myhost.com/emailAddress=someone@yahoo.com
verify return:1
2988:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:.\ssl\s3_pkt.c:1061:SSL alert number 46
2988:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188:
any ideas, I have spent days figuring out the certs and getting everything setup, still no luck, I get the same sslv3 alert certificate unknown error in firefox after
importing the client certificate and ca there