I would like to use SSL client certificates to authenticate users connecting to tomcat6 / 7. Ive got tomcat configured correctly, and the certificates that I sign with the certificate in the trusted I that I gave tomcat successfully authenticate from IE and Firefox.
I would also like to bind client certificates because I want to give clients the ability to manage their own users. I could do this by issuing a CA certificate to the client that will be used to sign additional user certificates. I will need a user browser to send a user certificate associated with the management CA (signed by my root certificate) for authentication.
I use openssl and I created the root CA and the intermediate CA, and I used the intermediate CA to sign the leaf certificate. I converted all three certificates to pkcs12 and pem and used keytool to import the root certificate into truststore for tomcat. openssl -verify checks the pkcs12 sheet for an intermediate certificate (and intermediate against root). But I can not get the certificate sheet (pkcs12) to verify the root certificate (pkcs12). I also cannot force IE or Firefox to authenticate using the certificate sheet. IE will ask me for a certificate, but cannot authenticate (there is no mention of a connection or a failure in the tomcats log). Firefox does not request a sheet certificate; it just does not authenticate.
This is how I try to check the leaf against the root using openssl:
openssl verify -CAfile ..\root\Root.pem Leaf.pem
, :
root.bat:
set name=Root
set keyPassword=dummypassword
set trustPassword=dummypassword
openssl genrsa -des3 -passout pass:%keyPassword% -out %name%.key 4096
openssl req -new -key %name%.key -passin pass:%keyPassword% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -signkey %name%.key -passin pass:%keyPassword% -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%keyPassword% -passout pass:%keyPassword% -out %name%.pkcs12
keytool -noprompt -import -file %name%.crt -alias %name% -keystore %name%.truststore -deststorepass %trustPassword%
keytool -list -v -keystore %name%.truststore -storepass %trustPassword% > %name%.truststore.dump.txt
keytool -exportcert -alias %name% -keystore %name%.truststore -storetype jks -storepass %trustPassword% -rfc -file %name%.truststore.pem
openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%keyPassword%
intermediate.bat:
set name=Intermediate
set password=dummypassword
set caDir=../root
set caName=Root
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.crt -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%password%
leaf.bat:
set name=Leaf
set password=dummypassword
set caDir=../intermediate
set caName=Intermediate
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.pem -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%password%
GenerateCertificate.cfg:
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true,pathlen:3