Two-way SSL authentication on tomcat using OpenSSL self signed certificates.

Two-way SSL authentication:

Openssl is used for creating private keys and certificates. Setting up two-way ssl authentication on tomcat is done as follows

  1.  Generate a self-signed certificate for tomcat web application
  2.  Generate a self-signed certificate for the client (consider browser for this example)
  3.  Import client certificate into server's keystore - as CA is not used and server needs to know public key of client.(Optional)
  4.  Configuring tomcat's server.xml
Generating a private key using openSSL
    openssl genrsa -out privkey.pem 2048
This generates an RSA private key of 2048 bits. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately.
Generating a self-signed certificate using openSSL

   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Generates a self-signed certificate that has public key in it valid for 1095 days. 


1. Generate a self-signed certificate for tomcat web application







a. Create a private key for server     
       openssl genrsa -out serverprivatekey.pem 2048
b. Create an openSSL self-signed certificate for the server using the private key
      openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095
      
     This prompts you to enter a few pieces of information, use “.” to leave the field blank. When prompted for 'Common Name' specify the hostname of the machine the tomcat runs on.

c. Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. So generate a   keystore in JKS format from above certificate which involves creating a pkcs12 file
   openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem      
     
      It asks for the export password, and it is recommended to provide a password.

d. Now convert serverkeystore.pkcs12 file to JKS format keystore using Java's keytool
 keytool -importkeystore -alias serverCert -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

       Keytool asks you for a new password(keystore password) for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier.

2. Generate a self-signed certificate for the client (consider browser for this example)

a. Create a private key for client.
     openssl genrsa -out clientprivatekey.pem 2048

b. Create an openSSL self-signed certificate for the client using the private key
     openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365.

     When prompted for 'Common Name' specify a user from tomcat-users.xml.

c. Firefox accepts pkcs12 file for certificate. Export the client certificate into pkcs12 format
     openssl pkcs12 -export -out clientkeystore.pkcs12 -in clientcert.pem -inkey clientprivatekey.pem 

Import this clientkeystore.pkcs12 into firefox browser. Tools -> Options -> Advanced -> View Certificates -> Your certificates -> import.

3. Import client certificate into server's keystore (Optional)
    keytool -importkeystore -alias clientCert -srckeystore clientkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
4. Configuring tomcat's server.xml
   Edit CATALINA_HOME/conf/server.xml, where CATALINA_HOME is the base directory of Tomcat.  By default, the HTTPS Connector configuration is commented out. Uncomment it and add keystoreFile, keystorePass, truststoreFile and truststorePass. 'clientAuth' needs to be set to true to enable two-way ssl authentication. 'keyAlias' needs to be set to server cert alias name in the keystore file.
Incase you did not import the client keystore into server's keystore, specify the truststoreFile as clients keystore.
  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" keyAlias="serverCert" sslProtocol="TLS" keystoreFile ="path/to/jks_keystore_file" keystorePass="geebox" truststoreFile="path/to/jks_keystore_file" truststorePass="geebox"/>
6. http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/


Comments

  1. hi, some how it is not working for me. please guide what I am missing. I am using tomcat7 on windows7

    Here are the steps that i have taken

    openssl genrsa -out serverprivatekey.pem 2048

    openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095

    Country Name (2 letter code) [AU]:IN
    State or Province Name (full name) [Some-State]:Uttar Pradesh
    Locality Name (eg, city) []:Noida
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Netambit
    Organizational Unit Name (eg, section) []:IT department
    Common Name (e.g. server FQDN or YOUR name) []:localhost
    Email Address []:


    openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem

    password entered: keypass

    C:\Program Files\Java\jdk1.7.0_25\bin>keytool -importkeystore -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

    password entered for jkcs store: jkcskeypass
    keystore password entered:keypass

    openssl genrsa -out clientprivatekey.pem 2048

    openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365

    Country Name (2 letter code) [AU]:IN
    State or Province Name (full name) [Some-State]:Uttar Pradesh
    Locality Name (eg, city) []:Noida
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Netambit
    Organizational Unit Name (eg, section) []:IT Department
    Common Name (e.g. server FQDN or YOUR name) []:keshav
    Email Address []:

    tomcat-user entry


    $ openssl pkcs12 -export -out clientkeystore.pkcs12 -in clientcert.pem -inkey clientprivatekey.pem
    password entered:ckeypass

    imported clientkeystore.pkcs12 into firefox

    C:\Program Files\Java\jdk1.7.0_25\bin>keytool -importkeystore -srckeystore C:\cygwin64\home\IN42254\clientkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore serverkeystore.jks
    destination password:destpass
    source keystore password:ckeypass

    server entry


    Finally I am getting

    Firefox can't establish a connection to the server at localhost:8443.

    regards
    Keshav

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Please try the following

    In step 1-d, server keystore is imported to keystore.jks and in step 3 client keystore is imported to serverkeystore.jks. Please import these two to same keystore.jks and give an alias name to each certificate while importing. And specify the value of 'keyAlias' attribute while configuring the server.xml as the value given to alias while importing the server certificate in step 1-d.

    ReplyDelete
  4. hi thanks for your blog,
    this information is not only beneficial but also time consuming formula for all of us who are outside india and wants these types of documents. anyways, thanks again
    God bless you!
    Authentication Certificate

    ReplyDelete
  5. Must add -name serverCert to openssl -export command or else get Alias serverCert does not exist.

    ReplyDelete

Post a Comment

Popular posts from this blog

Two-way ssl using cURL

One-way SSL authentication on tomcat using OpenSSL