I would like to use SSL client certificates to authenticate users connecting to tomcat6/7. I’ve got tomcat configured correctly, and certificates I sign with the cert in the truststore I gave to tomcat are authenticating successfully from both IE and Firefox.
I would also like to chain client certificates, because I want to give customers the ability to manage their own users. I could accomplish this by issuing a customer an itermediate management CA certificate that they would use to sign additional user certs. I would need the user’s browser to send the user certificate, chained with the management CA (signed by my root certificate) to authenticate.
I am using openssl, and I have created a root CA and an intermediate CA, and I have used the intermediate CA to sign a leaf certificate. I have converted all three certificates to pkcs12 and pem, and used keytool to import the root certificate into a truststore for tomcat. openssl –verify will verify the leaf pkcs12 against the intermediate certificate (and intermediate verifies against root). But I cannot get the leaf certificate (pkcs12) to verify against the root certificate (pkcs12). I also cannot get either IE or Firefox to authenticate using the leaf certificate. IE will prompt me for the certificate, but fails to authenticate (there is no mention of the connection or failure in tomcat’s log). Firefox does not prompt for the leaf certificate; it simply fails to authenticate.
Here is how I try to verify the leaf against the root using openssl:
openssl verify -CAfile ..\root\Root.pem Leaf.pem
Here are the scripts I am using to generate the three certificates:
root.bat:
set name=Root
set keyPassword=dummypassword
set trustPassword=dummypassword
openssl genrsa -des3 -passout pass:%keyPassword% -out %name%.key 4096
openssl req -new -key %name%.key -passin pass:%keyPassword% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -signkey %name%.key -passin pass:%keyPassword% -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%keyPassword% -passout pass:%keyPassword% -out %name%.pkcs12
keytool -noprompt -import -file %name%.crt -alias %name% -keystore %name%.truststore -deststorepass %trustPassword%
keytool -list -v -keystore %name%.truststore -storepass %trustPassword% > %name%.truststore.dump.txt
keytool -exportcert -alias %name% -keystore %name%.truststore -storetype jks -storepass %trustPassword% -rfc -file %name%.truststore.pem
openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%keyPassword%
intermediate.bat:
set name=Intermediate
set password=dummypassword
set caDir=../root
set caName=Root
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -extfile GenerateCertificate.cfg -extensions v3_ca -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.crt -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%password%
leaf.bat:
set name=Leaf
set password=dummypassword
set caDir=../intermediate
set caName=Intermediate
set caPassword=dummypassword
openssl genrsa -des3 -passout pass:%password% -out %name%.key 2048
openssl req -new -key %name%.key -passin pass:%password% -out %name%.csr -subj "/C=US/ST=Chaos/L=TimeNSpace/O=None/CN=%name%"
openssl x509 -req -days 3650 -in %name%.csr -CA %caDir%/%caName%.crt -CAkey %caDir%/%caName%.key -passin pass:%caPassword% -set_serial 1 -out %name%.crt
openssl pkcs12 -export -in %name%.crt -inkey %name%.key -passin pass:%password% -passout pass:%password% -chain -CAfile %caDir%/%caName%.pem -out %name%.pkcs12
openssl pkcs12 -in %name%.pkcs12 -out %name%.pem -nodes -passin pass:%password%
GenerateCertificate.cfg:
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true,pathlen:3
The problem was that the root and intermediate certificates were not created as CA certificates.
To create them as CA certificates, I added
-extfile GenerateCertificate.cfg -extensions v3_ca
to their creation scripts, and added the GenerateCertificate.cfg file to my working directories (which contained the cert creation batch files).
I have editted my original post to reflect these changes.
来源:https://stackoverflow.com/questions/12626027/chained-client-certificates