Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Tomcat and SSL Client certificate

Tags:

ssl

tomcat

I would like to have a following scenario:

  1. create my own CA
  2. create a server certificate and sign it with my CA
  3. create multiple client certificates and sign them with my CA

Next i would like to authenticate every client which presents a certificate signed by my CA.

Is it possible to realize such scenario without adding every single client certificate to my tomcat keystore? I just would like to only verify if the certificate the client presents is issued and signed by my CA.

like image 759
Pma Avatar asked Feb 19 '23 19:02

Pma

1 Answers

Yes, that's certainly possible, and I have done exactly this. If you configure Tomcat with a truststore containing your CA certificate then it should accept any client certificate signed by that CA.

I'll assume you have your CA key and root certificate already generated and you know how to use it to turn CSRs into certificates.

First generate your server key, and a corresponding CSR

$ openssl genrsa -out XXX.key 2048
$ openssl req -new -nodes -key XXX.key -out XXX.csr

Use your CA certificate to sign the CSR, producing a server certificate XXX.crt. Now package the server key, server cert and CA cert into a single PKCS#12 file

$ cat XXX.crt ca-certificate.pem | openssl pkcs12 -export -inkey XXX.key -out XXX.p12 -name tomcat -caname myauthority

You will be prompted for several passwords by this process, set them all to the same value (it doesn't matter what this value is and it doesn't have to be a secure password, it just has to be non-empty - I use changeit).

This .p12 file can now act as the keystore for Tomcat. Next you need to create a separate JKS keystore containing just the CA certificate to use as the truststore.

$ keytool -import -alias myauthority -keystore truststore.jks -file ca-certificate.pem

Again, reply to all password prompts with the same non-empty password, such as changeit.

Finally you can configure Tomcat:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           connectionTimeout="20000"
           keystoreFile="${catalina.home}/conf/XXX.p12"
           keystoreType="PKCS12"
           keystorePass="changeit"
           truststoreFile="${catalina.home}/conf/truststore.jks"
           truststoreType="JKS"
           truststorePass="changeit"
           clientAuth="true" sslProtocol="TLS" />
like image 106
Ian Roberts Avatar answered Feb 28 '23 02:02

Ian Roberts
Sign in to Comment

Related questions

JSP+Tomcat: Single Sign-On
java.security.AccessControlException: access denied (java.io.FilePermission /usr/share/java/jsp-api-2.0.jar read)
An incompatible version 1.1.12 of the APR based Apache Tomcat Native library is installed, while Tomcat requires version 1.1.17
How to restart Tomcat on a remote server if the application crashes?
Connecting a rails application with sunspot to a tomcat/solr server with authorization
Redirect from index page in Spring and Tomcat
Tomcat Memory Consumption
how to turn off session persistence in geronimo/tomcat
Starting with GWT and eclipse
Threadlocal memory leak in Threadpool
java.lang.NoSuchMethodException: java.lang.String.substring(java.lang.Long, java.lang.Long)
How do I make cfimage work with ColdFusion 10 on Apache?
Tomcat 7 fail to start

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!