How does OpenSSL work with JAVA's KeyTool ?
I'm intented to set up a certification authority and issuing certificates built by java's keytool
These are the steps I followed
1) Use the CA.pl to create a CA certificate using the option -newca
2) OpenSSL 's output is in PEM format while Keytool accepts certificates in DER
format, so i execute this command : openssl x509 -in democa/cacert.pem -out democa/cacert.der -outform DER
3) create the keys with keytool for the server: keytool -genkey -alias
tomcatServer -keyalg RSA -keysize 1024 -keystore server.ks -storetype
JKS -storepass serverPassword -dname "CN=serverCert, O=Something l.t.d, OU=sfe, L=turin, ST=italy, C=it, EMAILADDRESS=ca@ca.it" -validity 999
4) create a certificate request for the server: keytool -certreq -keyalg RSA -alias tomcatServer -file server.csr -keystore server.ks -storepass serverPassword
5) Sign the certificate request with OpenSSL tools : openssl ca -policy
policy_anything -out server.crt -infiles server.csr
6) Import the signed certificate into the server's keystore :
keytool -import -alias my_ca -keystore server.ks -trustcacerts -file
demoCA/cacert.der -storepass serverPassword
7) Import the CA certificate into the server's keystore :
Repeat the steps 3-7 for the clinet configuration
On the server side, the Tomcat's configuration is the follow
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" acceptCount="100" debug="0"
scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory
className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
clientAuth="true" protocol="TLS"
keystoreFile ="D:\OpenSSL\bin\server.ks"
keystorePass ="serverPassword
"/>
</Connector>
and a simply Servlet is deployed that accept a simplet http request and
response something.
The servlet web.
<? <web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<servlet>
<description>This is the description of my J2EE component</description>
<display-name>This is the display name of my J2EE
component</display-name>
<servlet-name>Test</servlet-name>
<servlet-class>Test</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Test</servlet-name>
<url-pattern>/servlet/Test</url-pattern>
</servlet-mapping>
</web-app>
On the cliet side there's a simply java applycation making a simply request
to the following URL :
https://localhost:8443/TestCert/servlet/Test
Inside this java application the layer SSL is specified as follow :
http://localhost:8080/TestCert/servlet/Test
Properties props = System.getProperties();
props.put("javax.net.ssl.trustStore","D:\\OpenSSL\\bin\\client.ks");
props.put("javax.net.ssl.trustStorePassword","clientPassword");
props.put("javax.net.ssl.keyStore","D:\\OpenSSL\\bin\\client.ks");
props.put("javax.net.ssl.keyStorePassword","clientPassword");
props.put("javax.net.debug","all");
Well inside the openssl.cnf i specify that policies
# For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = match
commonName = optional
emailAddress = optional
When I Start my application these exceptions raise.
main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to findvalid certification path to requested targetat com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
Can anybody help me and explain the problems
Thanks....