Geek Answers Handbook

Two-way authorization with PFX file

I have a two-way authentication problem. I am using tomcat6 as a server, and as a client I am trying to use IE, Firefox and my own Java application.

The problem arises with the use of PFX certificates provided to me by someone else. I have to use them as a client certificate, so I just add it to the trusted certificates on the server and use it in the browser in user certificates. The problem is that I get a bad_certificate warning.

I managed to perform two-way ssl, creating my own certificates for the server and client and adding public keys as trusted in both keystores, etc.

When I look at the wirehark logs, I see that the server is sending a good certificate request, but the client is sending an empty certificate (11-byte packet) instead of 500 + bytes when I used my own generated certificate.

What could be the problem? Why the client does not send a good certificate ?: (

+1
source share
2 answers

Well, the first thing to check is to check if Tomcat is configured correctly to request a certificate from the client for the path in question. For Tomcat 6, this means that you should have a Connector configured in conf / server.xml like this:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="${user.home}/.keystore" keystorePass="password"
           truststoreFile="conf/truststore" truststorePass="password"
           clientAuth="true" sslProtocol="TLS" />

TruststoreFile truststorePass - "clientAuth = true", , ( , - ). TruststoreFile JKS , CA, , . Tomcat , : "- " , . , - Tomcat.

, , . , , , wirehark, . , , Tomcat , , .

PKCS12. :

openssl pkcs12 -in [path-to-pkcs12-file] -nokeys | openssl x509 -noout -subject -issuer

, trustedCaCert . , Java keytool, , :

keytool -exportcert -keystore conf/truststore -alias [alias of trusted cert] | openssl x509 -noout -subject -inform der

, , openssl s_client , . PKCS12:

openssl pkcs12 -in [PKCS12 file] -out [whatever].key
openssl s_client -tls1 -connect localhost:443 -cert [whatever].key -key [whatever].key

( "-cert" "-key", openssl "BEGIN CERTIFICATE" "BEGIN RSA PRIVATE KEY" ). , , s_client, , ( ).

, , Apache Tomcat - Apache , SSL-, Tomcat.

+2

, X509v3 " " " ". .

openssl:

$ openssl pkcs12 -in server-only.pfx -nokeys | openssl x509 -noout -purpose
Enter Import Password:
MAC verified OK
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No

( HTTPS). -text openssl x509:

$ openssl pkcs12 -in server-only.pfx -nokeys | openssl x509 -noout -text
  [..snip..]
        X509v3 Key Usage: 
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
  [..snip..]

, , .

+2

More articles:


All Articles