Reputation: 1093
Tomcat and SSL Client certificate
I would like to have a following scenario:
- create my own CA
- create a server certificate and sign it with my CA
- create multiple client certificates and sign them with my CA
Next i would like to authenticate every client which presents a certificate signed by my CA.
Is it possible to realize such scenario without adding every single client certificate to my tomcat keystore? I just would like to only verify if the certificate the client presents is issued and signed by my CA.
Upvotes: 5
Views: 7273
Answers (3)
Reputation: 188
Disclaimer: Use self-signed root certificate only in development environment.
For a more complete overview (step-by-step):
Create a root certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
Create a key and CSR
openssl genrsa -out mycert.key 2048
openssl req -new -nodes -key mycert.key -out mycert.csr
Sign the CSR with your root certificate
openssl x509 -req -in mycert.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out mycert.pem
Create a PKCS#12 certificate with the cert and key
openssl pkcs12 -export -out mycert.p12 -inkey mycert.key -in mycert.pem
Create a separate JKS keystore containing just the CA certificate (to use as the truststore)
keytool -import -alias my-ca -keystore truststore.jks -file cert.pem
This works with the Tomcat configuration of Ian Roberts.
Upvotes: 0
Reputation: 122414
Yes, that's certainly possible, and I have done exactly this. If you configure Tomcat with a truststore containing your CA certificate then it should accept any client certificate signed by that CA.
I'll assume you have your CA key and root certificate already generated and you know how to use it to turn CSRs into certificates.
First generate your server key, and a corresponding CSR
$ openssl genrsa -out XXX.key 2048
$ openssl req -new -nodes -key XXX.key -out XXX.csr
Use your CA certificate to sign the CSR, producing a server certificate XXX.crt. Now package the server key, server cert and CA cert into a single PKCS#12 file
$ cat XXX.crt ca-certificate.pem | openssl pkcs12 -export -inkey XXX.key -out XXX.p12 -name tomcat -caname myauthority
You will be prompted for several passwords by this process, set them all to the same value (it doesn't matter what this value is and it doesn't have to be a secure password, it just has to be non-empty - I use changeit).
This .p12 file can now act as the keystore for Tomcat. Next you need to create a separate JKS keystore containing just the CA certificate to use as the truststore.
$ keytool -import -alias myauthority -keystore truststore.jks -file ca-certificate.pem
Again, reply to all password prompts with the same non-empty password, such as changeit.
Finally you can configure Tomcat:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
connectionTimeout="20000"
keystoreFile="${catalina.home}/conf/XXX.p12"
keystoreType="PKCS12"
keystorePass="changeit"
truststoreFile="${catalina.home}/conf/truststore.jks"
truststoreType="JKS"
truststorePass="changeit"
clientAuth="true" sslProtocol="TLS" />
Upvotes: 9
Reputation: 69
You should look at openSSL : http://openssl.org/ Or if you want an existing CA for free (but you have to do it each month) there's : http://www.startssl.com/
Upvotes: -1
Related Questions
- Make SSL client call in Tomcat using Tomcat's keystore
- How to use client certificate with tomcat 9?
- Tomcat Client Authentication using SSL
- Tomcat + SSL configuration + Client
- Client authentication in server Tomcat
- SSL in Tomcat 8: server & client JKS + client public cer
- Tomcat 7 ssl client authenitcation
- Tomcat as a client. Web application on Tomcat does not use SSL client certificate
- client/certificate authentication by server in tomcat
- SSL Connection from Java client