Two-way SSL authentication on tomcat using OpenSSL self signed certificates.
Two-way SSL authentication:
Openssl is used for creating private keys and certificates. Setting up two-way ssl authentication on tomcat is done as follows
- Generate a self-signed certificate for tomcat web application
- Generate a self-signed certificate for the client (consider browser for this example)
- Import client certificate into server's keystore - as CA is not used and server needs to know public key of client.(Optional)
- Configuring tomcat's server.xml
Generating a private key using openSSL
openssl genrsa -out privkey.pem 2048
This generates an RSA private key of 2048 bits. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately.
Generating a self-signed certificate using openSSL
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Generates a self-signed certificate that has public key in it valid for 1095 days.
1. Generate a self-signed certificate for tomcat web application
a. Create a private key for server
openssl genrsa -out serverprivatekey.pem 2048
b. Create an openSSL self-signed certificate for the server using the private key
openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095
This prompts you to enter a few pieces of information, use “.” to leave the field blank. When prompted for 'Common Name' specify the hostname of the machine the tomcat runs on.
c. Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. So generate a keystore in JKS format from above certificate which involves creating a pkcs12 file
openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem
It asks for the export password, and it is recommended to provide a password.
d. Now convert serverkeystore.pkcs12 file to JKS format keystore using Java's keytool
keytool -importkeystore -alias serverCert -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
Keytool asks you for a new password(keystore password) for the JKS keystore twice, and it will also ask you for the password you set for the PKCS12 keystore created earlier.
2. Generate a self-signed certificate for the client (consider browser for this example)
a. Create a private key for client.
openssl genrsa -out clientprivatekey.pem 2048
b. Create an openSSL self-signed certificate for the client using the private key
openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365.
When prompted for 'Common Name' specify a user from tomcat-users.xml.
c. Firefox accepts pkcs12 file for certificate. Export the client certificate into pkcs12 format
openssl pkcs12 -export -out clientkeystore.pkcs12 -in clientcert.pem -inkey clientprivatekey.pem
Import this clientkeystore.pkcs12 into firefox browser. Tools -> Options -> Advanced -> View Certificates -> Your certificates -> import.
3. Import client certificate into server's keystore (Optional)
keytool -importkeystore -alias clientCert -srckeystore clientkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
4. Configuring tomcat's server.xml
Edit CATALINA_HOME/conf/server.xml, where CATALINA_HOME is the base directory of Tomcat. By default, the HTTPS Connector configuration is commented out. Uncomment it and add keystoreFile, keystorePass, truststoreFile and truststorePass. 'clientAuth' needs to be set to true to enable two-way ssl authentication. 'keyAlias' needs to be set to server cert alias name in the keystore file.
Incase you did not import the client keystore into server's keystore, specify the truststoreFile as clients keystore.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" keyAlias="serverCert" sslProtocol="TLS" keystoreFile ="path/to/jks_keystore_file" keystorePass="geebox" truststoreFile="path/to/jks_keystore_file" truststorePass="geebox"/>
Start tomcat and try to access any https page.
References:
3. http://yimingsun.wordpress.com/2012/03/12/step-by-step-instructions-on-self-signed-certificate-and-tomcat-over-ssl/
4. http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Ftsk%2Ftsk_ic_security_genproc_1wayca.html
5. http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html
6. http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/
Two-way SSL authentication:
Openssl is used for creating private keys and certificates. Setting up two-way ssl authentication on tomcat is done as follows
- Generate a self-signed certificate for tomcat web application
- Generate a self-signed certificate for the client (consider browser for this example)
- Import client certificate into server's keystore - as CA is not used and server needs to know public key of client.(Optional)
- Configuring tomcat's server.xml
Generating a private key using openSSL
openssl genrsa -out privkey.pem 2048
This generates an RSA private key of 2048 bits. With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately.
Generating a self-signed certificate using openSSL
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Generates a self-signed certificate that has public key in it valid for 1095 days.
1. Generate a self-signed certificate for tomcat web application
a. Create a private key for server
openssl genrsa -out serverprivatekey.pem 2048
b. Create an openSSL self-signed certificate for the server using the private key
openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095
This prompts you to enter a few pieces of information, use “.” to leave the field blank. When prompted for 'Common Name' specify the hostname of the machine the tomcat runs on.
c. Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. So generate a keystore in JKS format from above certificate which involves creating a pkcs12 file
It asks for the export password, and it is recommended to provide a password.
d. Now convert serverkeystore.pkcs12 file to JKS format keystore using Java's keytool
When prompted for 'Common Name' specify a user from tomcat-users.xml.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" keyAlias="serverCert" sslProtocol="TLS" keystoreFile ="path/to/jks_keystore_file" keystorePass="geebox" truststoreFile="path/to/jks_keystore_file" truststorePass="geebox"/>
References:
3. http://yimingsun.wordpress.com/2012/03/12/step-by-step-instructions-on-self-signed-certificate-and-tomcat-over-ssl/
4. http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Ftsk%2Ftsk_ic_security_genproc_1wayca.html
5. http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html
4. http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=%2Fcom.ibm.itim.infocenter.doc%2Ftsk%2Ftsk_ic_security_genproc_1wayca.html
5. http://blog1.vorburger.ch/2006/08/setting-up-two-way-mutual-ssl-with.html
hi, some how it is not working for me. please guide what I am missing. I am using tomcat7 on windows7
ReplyDeleteHere are the steps that i have taken
openssl genrsa -out serverprivatekey.pem 2048
openssl req -new -x509 -key serverprivatekey.pem -out servercert.pem -days 1095
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Uttar Pradesh
Locality Name (eg, city) []:Noida
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Netambit
Organizational Unit Name (eg, section) []:IT department
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:
openssl pkcs12 -export -out serverkeystore.pkcs12 -in servercert.pem -inkey serverprivatekey.pem
password entered: keypass
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -importkeystore -srckeystore serverkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS
password entered for jkcs store: jkcskeypass
keystore password entered:keypass
openssl genrsa -out clientprivatekey.pem 2048
openssl req -new -x509 -key clientprivatekey.pem -out clientcert.pem -days 365
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Uttar Pradesh
Locality Name (eg, city) []:Noida
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Netambit
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:keshav
Email Address []:
tomcat-user entry
$ openssl pkcs12 -export -out clientkeystore.pkcs12 -in clientcert.pem -inkey clientprivatekey.pem
password entered:ckeypass
imported clientkeystore.pkcs12 into firefox
C:\Program Files\Java\jdk1.7.0_25\bin>keytool -importkeystore -srckeystore C:\cygwin64\home\IN42254\clientkeystore.pkcs12 -srcstoretype PKCS12 -destkeystore serverkeystore.jks
destination password:destpass
source keystore password:ckeypass
server entry
Finally I am getting
Firefox can't establish a connection to the server at localhost:8443.
regards
Keshav
This comment has been removed by the author.
ReplyDeletePlease try the following
ReplyDeleteIn step 1-d, server keystore is imported to keystore.jks and in step 3 client keystore is imported to serverkeystore.jks. Please import these two to same keystore.jks and give an alias name to each certificate while importing. And specify the value of 'keyAlias' attribute while configuring the server.xml as the value given to alias while importing the server certificate in step 1-d.
hi thanks for your blog,
ReplyDeletethis information is not only beneficial but also time consuming formula for all of us who are outside india and wants these types of documents. anyways, thanks again
God bless you!
Authentication Certificate
Must add -name serverCert to openssl -export command or else get Alias serverCert does not exist.
ReplyDelete