Tomcat and SSL Client certificate

Question

I would like to have a following scenario:

1. create my own CA
2. create a server certificate and sign it with my CA
3. create multiple client certificates and sign them with my CA

Next i would like to authenticate every client which presents a certificate signed by my CA.

Is it possible to realize such scenario without adding every single client certificate to my tomcat keystore? I just would like to only verify if the certificate the client presents is issued and signed by my CA.

Answer 1

Yes, that's certainly possible, and I have done exactly this. If you configure Tomcat with a truststore containing your CA certificate then it should accept any client certificate signed by that CA.

I'll assume you have your CA key and root certificate already generated and you know how to use it to turn CSRs into certificates.

First generate your server key, and a corresponding CSR

$ openssl genrsa -out XXX.key 2048
$ openssl req -new -nodes -key XXX.key -out XXX.csr

Use your CA certificate to sign the CSR, producing a server certificate XXX.crt . Now package the server key, server cert and CA cert into a single PKCS#12 file

$ cat XXX.crt ca-certificate.pem | openssl pkcs12 -export -inkey XXX.key -out XXX.p12 -name tomcat -caname myauthority

You will be prompted for several passwords by this process, set them all to the same value (it doesn't matter what this value is and it doesn't have to be a secure password, it just has to be non-empty - I use changeit ).

This .p12 file can now act as the keystore for Tomcat. Next you need to create a separate JKS keystore containing just the CA certificate to use as the truststore .

$ keytool -import -alias myauthority -keystore truststore.jks -file ca-certificate.pem

Again, reply to all password prompts with the same non-empty password, such as changeit .

Finally you can configure Tomcat:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           connectionTimeout="20000"
           keystoreFile="${catalina.home}/conf/XXX.p12"
           keystoreType="PKCS12"
           keystorePass="changeit"
           truststoreFile="${catalina.home}/conf/truststore.jks"
           truststoreType="JKS"
           truststorePass="changeit"
           clientAuth="true" sslProtocol="TLS" />

Answer 2

Disclaimer: Use self-signed root certificate only in development environment.

For a more complete overview (step-by-step):

Create a root certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365

Create a key and CSR
openssl genrsa -out mycert.key 2048
openssl req -new -nodes -key mycert.key -out mycert.csr

Sign the CSR with your root certificate
openssl x509 -req -in mycert.csr -CA cert.pem -CAkey key.pem -CAcreateserial -out mycert.pem

Create a PKCS#12 certificate with the cert and key
openssl pkcs12 -export -out mycert.p12 -inkey mycert.key -in mycert.pem

Create a separate JKS keystore containing just the CA certificate (to use as the truststore)
keytool -import -alias my-ca -keystore truststore.jks -file cert.pem

This works with the Tomcat configuration of Ian Roberts.

Answer 3

您应该查看openSSL： http ： //openssl.org/或者如果您想免费获得现有CA（但每月必须这样做）， 请访问 ： http ： //www.startssl.com/