tomcat - How do you use self-signed certificates when attempting client certificate authentication (Java) -


i'm trying use self signed certificates (ie subject , issuer both same) x509 client authentication.

my understanding need make 2 sets of key pairs , put them appropriate keystore.jks client , server.

then need make each side "trust" ca signed certificates. since these self-signed, seems mean need put certificate truststore.jks both sides (ie client's cert should go server's truststore, , opposite server's cert).

this how did it:

#make selfsigned tomcat cert keytool -genkey -keyalg rsa -validity 365 -keysize 2048 -alias tomcat -keystore $tomcat_root/conf/keystore.jks -storepass changeit -dname 'cn=localhost' -keypass changeit  #don't want import whole private key... certificate part # we're trying make client trust server's ca keytool -exportcert -alias tomcat -keystore $tomcat_root/conf/keystore.jks -storepass changeit -file tomcat.crt keytool -importcert -alias tomcat -keystore clienttruststore.jks -storepass clientpassword -file tomcat.crt -noprompt  #make client key pair keytool -genkey -keyalg rsa -validity 365 -keysize 2048 -alias client -keystore clientkeystore.jks -storepass clientpassword -dname 'cn=root' -keypass clientpassword  #make sure tomcat can trust client's ca keytool -exportcert -alias client -keystore clientkeystore.jks -storepass clientpassword -file client.crt keytool -importcert -alias client -keystore $tomcat_root/conf/truststore.jks -storepass changeit -file client.crt -noprompt

tomcat's connector configured like

     <connector port="8443"            protocol="org.apache.coyote.http11.http11nioprotocol"            sslenabled="true"            maxthreads="150"            scheme="https"            secure="true"            keystorefile="snip/conf/keystore.jks"            keystorepass="changeit"            truststorefile="snip/conf/truststore.jks"            truststorepass="changeit"            enablelookups="true"             clientauth="true"            sslenabledprotocols="tlsv1.2,tlsv1.1"            ciphers="tls_ecdhe_rsa_with_aes_128_cbc_sha256, tls_ecdhe_rsa_with_aes_128_gcm_sha256, tls_ecdhe_rsa_with_aes_128_cbc_sha, tls_dhe_rsa_with_aes_128_cbc_sha, tls_rsa_with_aes_128_cbc_sha256, ssl_rsa_with_3des_ede_cbc_sha"            />

and client run this:

java -djavax.net.ssl.truststore=clienttruststore.jks \      -djavax.net.ssl.truststorepassword=clientpassword \      -djavax.net.ssl.keystore=clientkeystore.jks \      -djavax.net.ssl.keystorepassword=clientpassword \      -djavax.net.debug=ssl foo.bar.main

ultimately client spewls lot of info, here can see client apparently refuses send it's client certificate

*** serverhello, tlsv1.2 --snip-- *** certificaterequest cert types: rsa, dss, ecdsa supported signature algorithms: sha512withecdsa, sha512withrsa, sha384withecdsa, sha384withrsa, sha256withecdsa, sha256withrsa, sha256withdsa, sha224withecdsa, sha224withrsa, sha224withdsa, sha1withecdsa, sha1withrsa, sha1withdsa cert authorities: <cn=root> *** serverhellodone warning: no suitable certificate found - continuing without client authentication *** certificate chain <empty> ***

i read mean: "server saying hello , asking client certificate (because of tomcat clientauth=true setting). certificate must signed 1 of listed cas (ie cn=root), client says no suitable certificate found.


Comments

Post a Comment

Popular posts from this blog

sql server - Cannot query correctly (MSSQL - PHP - JSON) -

i have little problem on project. , turns out query result returns nothing when value of first name or last name has 'ñ' in it. here's code config.php: <?php ini_set('mssql.charset', 'utf-8'); header('content-type: text/html; charset=utf-8'); $servername = "192.168.1.21"; /* ip add of db server */ $connection = array("database" => "db", "uid" => "?", "pwd" => "***"); $conn = sqlsrv_connect($servername, $connection); if(!$conn){ echo "connection not established."; die(print_r(sqlsrv_errors(), true)); } ?> myquery: $idnumber = $_post["idnum"]; $response = array(); $query2 = "select clname, cfname, cmname, cqualifier student cidno = '$idnumber'"; try{ $stmt2 = sqlsrv_query($conn, $query2); } catch(pdoexeption $ex){ $response["success"] = 0; $response["message"] = "d...
Read more

php - trouble displaying mysqli database results in correct order -

i have table in database stores events , date expire. want display events on website display current events first expired events after? i have tried following sql $sql = "select noticeid, notice, noticedesc, noticeimg, noticedate, expirydate tbl_notices group noticeid ,expired order expirydate asc"; but returns expired results first due expirydate being ordered asc in query. my tbl_notice structure looks this noticeid => int(4) notice => varchar(100) noticedesc => text noticedate => timestamp noticeimg => varchar(40) expirydate => datetime expired => int(1) 0 current or 1 expired my php code is $sql = "select noticeid, notice, noticedesc, noticeimg, noticedate, expirydate tbl_notices group noticeid ,expired order expirydate asc"; $result = mysqli_query($conn,$sql); if ($result->num_rows > 0) { // output data of each row while($row = $result->fetch_assoc()) { ...
Read more

C++ Linked List -

i trying create linked list download txt file , use linked list handle file line line. when handling downloaded linked list operations performed on such text editor would. encountering problems however. seems "node(string value)" section of code has wrong though original node() declaration no arguments passes. unable figure out quite is. node.h class node { public: node(); node(string value); void setnext(node *nextnode); // allows user set "next" pointer of node points friend class linkedlist; private: string data; // data box node* next; // pointer box }; node.cpp # include <string> # include "node.h" using namespace std; node::node() { data = ""; next = null; } node::node(string value) { data = value; next = null; } void node::setnext(node *nextnode) // allows user set "next" pointer of node points { this->next = nextnode; } your #include <string> ...
Read more