thank you very mutch for your reply!

that works for me!

 :-)


Am 05.08.2010 17:41, schrieb ravi kumar:

Hi,

Confirm if u want certificate for apache or tomcat?
If it is apache then "filename.crt" file will work, but if it is for tomcat then u will  need
"filename.keystore" is required.

Below command is used to generate .key file in Linux using phase key

openssl genrsa -des3 1024 > filename.key


Below command is used to generate csr file in Linux

openssl req -new -key /root/csr/filename.key > filename.csr


==========================================

Step 1: Generate a keystore in pkcs12 format using the Certificate (.crt) and the Private Key (.key) files

 

openssl pkcs12 -in <yourfile.crt> -inkey <yourfile.key> -export -out <keystore name> -name tomcat

 

The keystore file will be generated into the folder where OpenSSL binary is located

 

Step 2: Once the keystore is generated, configure the SSL factory in server.xml file to use it


Example:

 

<clientAuth="false" sslprotocol="TLS" keystoreFile="C:\Program\tomcat/keystore" keystorePass="mypassword" truststorePass="mypassword" keystoreType="pkcs12" />




Note :- Sometimes providerroot file is required.
Ex. If i purchased my certificate from "thawte" then i will
require "thawteroot.csr" and will merge this with my "filename.csr" and install on the server.


Hope above solution works for you.


Thanks,
Ravi


--- On Thu, 5/8/10, Tina Exner <texner@picturesafe.de> wrote:

From: Tina Exner <texner@picturesafe.de>
Subject: Re: [users@httpd] Export CACertificate to Tomcat
To: users@httpd.apache.org
Date: Thursday, 5 August, 2010, 3:49 PM


did nobody know a solution for this problem?


hi all,

we have a nexus multiid server for certificate authentication.
i try to pass the client smartcard certificates from apache to tomcat server.
the tomcat talks to the nexus and the authentication take effect.

when i try to export the client ca certificate to the tomcat server
 i get the
following errors:

[Mon Aug 02 15:36:40 2010] [error] [client] Certificate Verification: Error (20): unable to get local issuer certificate
[Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation handshake failed: Not accepted by client!?

@Firefox:
(Fehlercode: ssl_error_unknown_ca_alert)


this is my ssl configuration:

  <IfModule ssl_module>
          SSLVerifyClient none
          SSLVerifyDepth 5

          #SSLOptions +ExportCertData +StrictRequire +StdEnvVars +FakeBasicAuth
          SSLOptions +ExportCertData

          #SSLCACertificateFile conf/ssl/Certificate.cer
         
      </IfModule>

       <Location /nexus>
                SSLVerifyClient         require
                SSLVerifyDepth          5

                #SSLCACertificateFile    /ps/apache2.2/testsystem1/conf/ssl/Certificate.crt
                #SSLOptions             +ExportCertData +StrictRequire +StdEnvVars +FakeBasicAuth
                SSLOptions              +ExportCertData +StdEnvVars
                #SSLRequireSSL
       </Location>


my jk.conf:

  JkExtractSSL          On
  JkHTTPSIndicator      HTTPS
  JkSESSIONIndicator    SSL_SESSION_ID
  JkCIPHERIndicator     SSL_CIPHER
  JkCERTSIndicator      SSL_CLIENT_CERT
  JkEnvVar              SSL_CLIENT_CERT SSL_CLIENT_CERT
  JkOptions             +ForwardSSLCertChain


i use apache 2.2.13-3 and openssl 0.9.8a.

Any hints on what might have gone wrong will be highly useful.

regards
Tin