Info Ssl Error Getting Client Certs Tomcat
Contents |
strikes again! WithMcAfee Little theme change → Tomcat web application with SSL clientcertificates August 23, 2010 51 Comments Often repeated topic, tons of stuff you can google, yet either I’m retarded or just tomcat 8 ssl plain unlucky - it took me days to get it all right. What tomcat 7 ssl configuration we’re going to do? create our own CA (certification authority), issue our own server certificate, issue client certificate, configure Tomcat tomcat https configuration 6 and browser to use it all, write an application that can identify user from the certificate. We need OpenSSL - for that I used Ubuntu installation running on Sun/Oracle VirtualBox as I how to install ssl certificate in apache tomcat windows run the Tomcat on Windows. Then I used JDK 1.6 and its keytool. Finally unzip downloaded Tomcat 6 somewhere. Generally, you’ll find this all on any Linux. Use Sun’s JDK, not gcj stuff. The rough idea is this: We need CA - our authority. We’ll create our own one - it will substitute something serious like Verisign - but it’s for free.🙂 Then you need server
Tomcat Sslenabledprotocols
certificate that is signed by this CA and client certificate that is signed with the same CA as well. You can create another authority that is not the root CA. You can have your own CA1 signed by some CA2 that is signed by root CA (self signed). You can have server certificate signed by CA1 and client certificates signed by CA3, but CA3 must be signed by CA2 (as is CA1). What you need is a certificate of any CA “above” your server certificate imported into your browser (this is not absolutely necessary, but it ensures, that browser trusts the server certificate without asking the user - which is the idea why the most famous root CAs are pre-imported in your browser). And you need CA “above” the client certificate for client authentication + client certificate in your browser. I hope I didn’t make any factual error in this paragraph.🙂 For now we will have a single self-signed root CA and both the server and the client certificates signed by the same CA. Open SSL We’ll start with OpenSSL and CA. I don’t use CA.sh helper script, just because I don’t. Don’t ask why, it
here for
Tomcat Self Signed Certificate
a quick overview of the site Help Center tomcat clientauth Detailed answers to any questions you might have Meta Discuss the workings tomcat client certificate authentication and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers https://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/ or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only http://stackoverflow.com/questions/15837015/apache-http-client-javax-net-ssl-sslpeerunverifiedexception-peer-not-authentica takes a minute: Sign up Apache HTTP Client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated up vote 2 down vote favorite 4 We are developing an application using tomcat and jersey. Within this webapplication we need to connect to a https Website with a valid, not expired certificate. If I do connect to this website locally via my chrome browser, everything works fine! Unfortunately the tomcat server with our webapp throws an exception. We are using the Apache HttpClient (4.0) to connect to the https site: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) The server certificate is absolutely valid and from thawte. Three different on
presented by this website was not issued by a trusted certificate authority." The certificate not trusted error indicates that the https://www.sslshopper.com/ssl-certificate-not-trusted-error.html SSL certificate is not signed or approved by a company that the browser trusts. This occurs most often for one of the following reasons: The web site is http://grokbase.com/t/tomcat/users/057degddm6/client-cert-error-null-cert-chain using a self-signed certificate. Self-signed certificates can be generated for free but they don't provide as much trust as a commercial certificate. You can tell your browser tomcat client to trust the self-signed certificate or you can buy (or ask the site owner to buy) a trusted SSL certificate from a certificate authority. The web site is using a free SSL Certificate. Free SSL Certificates are issued by a couple of free certificate authorities but their Root Certificate must be manually imported to info ssl error each browser to get rid of this error. The web site is using a trusted SSL certificate but it is missing a chain/intermediate certificate. Most trusted certificates require that you install at least one other intermediate/chain certificate on the server to link your certificate up to a trusted source. The last option is a very common one. For example, if PayPal installed their server certificate for www.paypal.com without installing VeriSign's Class 3 Extended Validation SSL SGC CA intermediate certificate, a web browser would give the certificate not trusted error. Occasionally, certain browsers will give this error when others do not. For example, Microsoft Internet Explorer can automatically download intermediate certificates the first time you visit a site that needs one while Firefox cannot. Once a trusted certificate is installed properly, all browsers will work without getting this error. You can verify whether the certificate will get a certificate not trusted error by using our SSL Checker. The SSL checker uses the
to use the clientcertificate authentication. I first set up the SSL connector followingthe How-To.So now my site runs under SSL without any problem.Next,I build the client certificate with keytool, and store it into afile ( trust.keystore ). In my web.xml I change my BASIC intoCLIENT-CERT :