Forum Discussion

Sachin_Sawe__Pr's avatar
Sachin_Sawe__Pr
Contributor
15 years ago

ssl client auth with self-signed certificates

I would like to issue a soap request to a tomcat server "fronted" by an
apache httpd 2.2 server. I've configured httpd to pass through (proxy)
the request to tomcat after httpd has authenicated the client with it's
client certificate. I know the server configuration works correctly because
I can sent a request to the httpd/tomcat combination using the openssl s_client.
I send the soap request "verbatim" at the command line, and I get back a
successful response.

The client certificate is self-signed. I have generated a certificate authority
cert and then a client certificate signed with my own certificate authority.

I can (and do) import the client cert in pk12 format. That works just fine.
Don't I have to also import my certificate authority cert, so that it can verify
the client cert? If so, how? Does format matter?

Is there a cookbook for this somewhere? The website seems to do the situation
where the certificate comes from a known certificate authority like Thawte.

Please advise. Thanks.

10 Replies

  • Sorry, I meant to say that I need the certificate authority certificate to authenicate the
    *server*'s certificate, which is "self-signed" using my certificate authority cert. Soapui pro 2.5
    needs to find this "trusted certificate authority" cert somehow. Please advise. Thanks.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    Hi Leigh,

    I'm not sure exactly what errors/problems you are getting/having.. is it when you specify the certificate in the global SSL settings? Or when making a request?

    regards!

    /Ole
    eviware.com
  • When I try to load the certificate authority certificate into soapui. I use
    pem format (that's what openssl generates). Pl. advise. Thanks.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    Hi,

    ok.. and what error are you getting? Have you tried importing the pem file into a java keystore and specifying that instead?

    regards!

    /Ole
    eviware.com
  • I've done what you recommended. The ssl handshake from soapui (client) to server still fails.

    Let's recap the scenario.

    On the server, I have apache httpd 2.2 proxying tomcat 5.5.27. Httpd handles the ssl
    handshake and passes authenicated requests on to tomcat.

    Both the client and the server have certificates which are self-signed by a root certificate I
    created. Let's call it WandrianCA-cacert.pem.

    I know the server portion (httpd + tomcat5) works correctly. I can send a canned request
    using curl and get a response. I can do a cannel request using openssl and watch the ssl handsake. I can browse static content, served by tomcat, using Firefox with client certificate
    authenication.

    I can't get soapui to work.

    Using the following commands, I've created a jks keystore soapui.jks:

    keytool -v -keystore soapui.jks -import -file WandrianCA-cacert.pem # adds the signing cert
    keytool -v -keystore soapui.jks -import -file support.pem -alias support # add client cert

    $ keytool -list soapui.jks
    Enter keystore password:  *****

    Keystore type: jks
    Keystore provider: SUN

    Your keystore contains 2 entries

    support, Apr 29, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): EC:A6:B5:F5:4E:AD:A3:BC:3A:45:E8:42:8D:03:1D:80
    mykey, Apr 29, 2009, trustedCertEntry,
    Certificate fingerprint (MD5): CC:2B:8B:C0:E3:4F:AD:3D:E2:65:DE:37:A6:DF:B0:0D

    Note that there are NO private keys. I don't believe I need any.
    The certificate authority cert WandrianCA-cacert.pem will be used
    to authenicate the server's certificate. The client certificate support.pem
    will be used to respond to the server when the server requests authenication.

    On the project properties tab, 'Keystores/Certificates' subtab, when I load
    the keystore, I'm prompted for the password then then get the following
    message in the 'status' column:

    < no="" private="" keys="" found="" in="" keystore="">

    Please advise ASAP. Thanks.
  • I think I have a workaround.

    I've added my certificate authority certificate to the java cacert keystore
    using keytool.

    I then load the client certificate in the project 'Security Configurations' tab
    and configure an "Outgoing WS-Security Configuration" using that certificate.
    Finally, for a request, I configure the 'SSL Keystore' to be the client certificate.
    To I have configure every request of every testcase like that, in other words bind
    'SSL Keystore'? Or is there something global to set?
  • I'm about to update hundreds of requests one by one if I can't get an answer for the
    'SSL Keystore' property. Is there a global "default" setting? Please advise. Thanks.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    Hi Leigh,

    there is a global keystore setting in the Preferences \ SSL tab, maybe you could set the keystore there instead?

    regards!

    /Ole
    eviware.com
  • Global is probably the wrong scope. I have several projects and each requires
    a different client certificate. There doesn't seem to be an 'SSL Keystore' property
    in the project, service binding or test suite scopes? Pl. advise. Thanks.
  • SmartBear_Suppo's avatar
    SmartBear_Suppo
    SmartBear Alumni (Retired)
    Hi Leigh,

    unfortunately global and request are the only scopes, obviously a shortcoming that should be addressed in an upcoming release.. What level would be most appropriate for your requirements? (Project? Endpoint? TestCase? etc..)

    regards,

    /Ole
    eviware.com