ssl client auth with self-signed certificates
I would like to issue a soap request to a tomcat server "fronted" by an apache httpd 2.2 server. I've configured httpd to pass through (proxy) the request to tomcat after httpd has authenicated the ...
Forum Discussion
I've done what you recommended. The ssl handshake from soapui (client) to server still fails.
Let's recap the scenario.
On the server, I have apache httpd 2.2 proxying tomcat 5.5.27. Httpd handles the ssl
handshake and passes authenicated requests on to tomcat.
Both the client and the server have certificates which are self-signed by a root certificate I
created. Let's call it WandrianCA-cacert.pem.
I know the server portion (httpd + tomcat5) works correctly. I can send a canned request
using curl and get a response. I can do a cannel request using openssl and watch the ssl handsake. I can browse static content, served by tomcat, using Firefox with client certificate
authenication.
I can't get soapui to work.
Using the following commands, I've created a jks keystore soapui.jks:
keytool -v -keystore soapui.jks -import -file WandrianCA-cacert.pem # adds the signing cert
keytool -v -keystore soapui.jks -import -file support.pem -alias support # add client cert
$ keytool -list soapui.jks
Enter keystore password: *****
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
support, Apr 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): EC:A6:B5:F5:4E:AD:A3:BC:3A:45:E8:42:8D:03:1D:80
mykey, Apr 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): CC:2B:8B:C0:E3:4F:AD:3D:E2:65:DE:37:A6:DF:B0:0D
Note that there are NO private keys. I don't believe I need any.
The certificate authority cert WandrianCA-cacert.pem will be used
to authenicate the server's certificate. The client certificate support.pem
will be used to respond to the server when the server requests authenication.
On the project properties tab, 'Keystores/Certificates' subtab, when I load
the keystore, I'm prompted for the password then then get the following
message in the 'status' column:
< no="" private="" keys="" found="" in="" keystore="">
Please advise ASAP. Thanks.
Let's recap the scenario.
On the server, I have apache httpd 2.2 proxying tomcat 5.5.27. Httpd handles the ssl
handshake and passes authenicated requests on to tomcat.
Both the client and the server have certificates which are self-signed by a root certificate I
created. Let's call it WandrianCA-cacert.pem.
I know the server portion (httpd + tomcat5) works correctly. I can send a canned request
using curl and get a response. I can do a cannel request using openssl and watch the ssl handsake. I can browse static content, served by tomcat, using Firefox with client certificate
authenication.
I can't get soapui to work.
Using the following commands, I've created a jks keystore soapui.jks:
keytool -v -keystore soapui.jks -import -file WandrianCA-cacert.pem # adds the signing cert
keytool -v -keystore soapui.jks -import -file support.pem -alias support # add client cert
$ keytool -list soapui.jks
Enter keystore password: *****
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
support, Apr 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): EC:A6:B5:F5:4E:AD:A3:BC:3A:45:E8:42:8D:03:1D:80
mykey, Apr 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): CC:2B:8B:C0:E3:4F:AD:3D:E2:65:DE:37:A6:DF:B0:0D
Note that there are NO private keys. I don't believe I need any.
The certificate authority cert WandrianCA-cacert.pem will be used
to authenicate the server's certificate. The client certificate support.pem
will be used to respond to the server when the server requests authenication.
On the project properties tab, 'Keystores/Certificates' subtab, when I load
the keystore, I'm prompted for the password then then get the following
message in the 'status' column:
< no="" private="" keys="" found="" in="" keystore="">
Please advise ASAP. Thanks.
