Databases
StackOverflow2013
Postsdbo
POChained Client Certificates
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POChained Client Certificates
    primarykey
    data
    text
    <p>I would like to use SSL client certificates to authenticate users connecting to tomcat6/7. I’ve got tomcat configured correctly, and certificates I sign with the cert in the truststore I gave to tomcat are authenticating successfully from both IE and Firefox.</p> <p>I would also like to chain client certificates, because I want to give customers the ability to manage their own users. I could accomplish this by issuing a customer an itermediate management CA certificate that they would use to sign additional user certs. I would need the user’s browser to send the user certificate, chained with the management CA (signed by my root certificate) to authenticate.</p> <p>I am using openssl, and I have created a root CA and an intermediate CA, and I have used the intermediate CA to sign a leaf certificate. I have converted all three certificates to pkcs12 and pem, and used keytool to import the root certificate into a truststore for tomcat. openssl –verify will verify the leaf pkcs12 against the intermediate certificate (and intermediate verifies against root). But I cannot get the leaf certificate (pkcs12) to verify against the root certificate (pkcs12). I also cannot get either IE or Firefox to authenticate using the leaf certificate. IE will prompt me for the certificate, but fails to authenticate (there is no mention of the connection or failure in tomcat’s log). Firefox does not prompt for the leaf certificate; it simply fails to authenticate.</p> <p>Here is how I try to verify the leaf against the root using openssl:</p> <pre><code>openssl verify -CAfile ..\root\Root.pem Leaf.pem </code></pre> <p>Here are the scripts I am using to generate the three certificates:<br> root.bat:</p> <pre><code>set name=Root set keyPassword=dummypassword set trustPassword=dummypassword openssl genrsa -des3 -passout pass:%keyPassword% -out %name%.key 4096 openssl req -new -key %name%.key -passin pass:%keyPassword% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%" openssl x509 -req -days 3650 -in %name%.csr -signkey %name%.key -passin pass:%keyPassword% -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%keyPassword% -passout pass:%keyPassword% -out %name%.pkcs12 keytool -noprompt -import -file %name%.crt -alias %name% -keystore %name%.truststore -deststorepass %trustPassword% keytool -list -v -keystore %name%.truststore -storepass %trustPassword% &gt; %name%.truststore.dump.txt keytool -exportcert -alias %name% -keystore %name%.truststore -storetype jks -storepass %trustPassword% -rfc -file %name%.truststore.pem openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%keyPassword% </code></pre> <p>intermediate.bat:</p> <pre><code>set name=Intermediate set password=dummypassword set caDir=../root set caName=Root set caPassword=dummypassword openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048 openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%" openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.crt -out %name%.pkcs12 openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%password% </code></pre> <p>leaf.bat:</p> <pre><code>set name=Leaf set password=dummypassword set caDir=../intermediate set caName=Intermediate set caPassword=dummypassword openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048 openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%" openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -out %name%.crt openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.pem -out %name%.pkcs12 openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%password% </code></pre> <p>GenerateCertificate.cfg:</p> <pre><code>[ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true,pathlen:3 </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USuser1703874
    1. USuser1703874
    plurals
    1. This table or related slice is empty.
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POChained Client Certificates
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POChained Client Certificates
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POChained Client Certificates
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload