Ryfujk

A Paper Record is What I Hamper

Mistake in years of experience in resume?

"My boss was furious with me and I have been fired" vs. "My boss was furious with me and I was fired"

Multiple options vs single option UI

I preordered a game on my Xbox while on the home screen of my friend's account. Which of us owns the game?

Co-worker works way more than he should

How to get even lighting when using flash for group photos near wall?

What is a 'Key' in computer science?

Israeli soda type drink

Does Feeblemind produce an ongoing magical effect that can be dispelled?

Are all CP/M-80 implementations binary compatible?

What ability score does a Hexblade's Pact Weapon use for attack and damage when wielded by another character?

How would I use different systems of magic when they are capable of the same effects?

Retract an already submitted recommendation letter (written for an undergrad student)

How would this chord from "Rocket Man" be analyzed?

std::is_constructible on incomplete types

How to count in linear time worst-case?

What is the term for a person whose job is to place products on shelves in stores?

Protagonist's race is hidden - should I reveal it?

What is the least dense liquid under normal conditions?

Is a 5 watt UHF/VHF handheld considered QRP?

How can I wire a 9-position switch so that each position turns on one more LED than the one before?

Seek and ye shall find

Is it OK if I do not take the receipt in Germany?

Verify client certificate CN in Tomcat(APR)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

0

I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).

What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.

I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).

I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).

<Connector

   protocol="HTTP/1.1"

   port="443" maxThreads="150"

   scheme="https" secure="true" SSLEnabled="true"

   SSLCertificateFile="mycert.pem"

   SSLCertificateKeyFile="privkey.pem"

   SSLCACertificateFile="CABundle.pem"

   SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq &quot;host.example.com&quot;)"/>

Can you suggest a way to make this work using Tomcat/APR/OpenSSL?

ssl tomcat openssl mod-ssl

share|improve this question

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

bumped to the homepage by Community♦ 9 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

0

I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).

What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.

I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).

I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).

<Connector

   protocol="HTTP/1.1"

   port="443" maxThreads="150"

   scheme="https" secure="true" SSLEnabled="true"

   SSLCertificateFile="mycert.pem"

   SSLCertificateKeyFile="privkey.pem"

   SSLCACertificateFile="CABundle.pem"

   SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq &quot;host.example.com&quot;)"/>

Can you suggest a way to make this work using Tomcat/APR/OpenSSL?

ssl tomcat openssl mod-ssl

share|improve this question

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

bumped to the homepage by Community♦ 9 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).

What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.

I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).

I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).

<Connector

   protocol="HTTP/1.1"

   port="443" maxThreads="150"

   scheme="https" secure="true" SSLEnabled="true"

   SSLCertificateFile="mycert.pem"

   SSLCertificateKeyFile="privkey.pem"

   SSLCACertificateFile="CABundle.pem"

   SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq &quot;host.example.com&quot;)"/>

Can you suggest a way to make this work using Tomcat/APR/OpenSSL?

ssl tomcat openssl mod-ssl

share|improve this question

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

<Connector

   protocol="HTTP/1.1"

   port="443" maxThreads="150"

   scheme="https" secure="true" SSLEnabled="true"

   SSLCertificateFile="mycert.pem"

   SSLCertificateKeyFile="privkey.pem"

   SSLCACertificateFile="CABundle.pem"

   SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq &quot;host.example.com&quot;)"/>

share|improve this question

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

share|improve this question

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

asked Apr 18 '13 at 15:29

Petter NordlanderPetter Nordlander

10315

1 Answer
1

active

oldest

votes

0

The above excerpt is from sever.xml file, right? I have a question, why are you not using your cacerts keystore in whichever JVM/JDK you are using? You're using this to grant https access to your application running on tomcat, right?

I'm surprised PEM format certs worked in TOMCAT. I have always had to convert PEM certs to DER format and then use it in TOMCAT.

I would suggest:

1. Create cert in your keystore /your/path/to/java/jre/lib/security/cacerts by using keytool binary that comes with your java installation. It is provided for you to put your java app on SSL.

OR

1. if you already have your CACERT.PEM, convert it to DER using openssl:

openssl x509 -inform PEM -in CACERT.PEM -outform DER -out CACERT.DER

2. use keytool to import the cert into your keystore.




3. edit server.xml and the way you go.

share|improve this answer

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  PEM should be fine, tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html uses pem in the example configuration. The question is not about how to import CA certs (this is working ok), but how to lock down the HTTPS connection to one single trusted client certificate.
  
  – Petter Nordlander
  Apr 19 '13 at 5:41
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is there no option for client-side cert in Connector element? We now there is clientAuth="true", using truststore: truststoreFile, truststorePass, and truststoreType. I haven't tested it yet but client certs go in the trustore keystore if clientAuth is set to true.
  
  – Nikolas Sakic
  Apr 20 '13 at 18:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I guess so. Those types does, however, not work with the APR connector. That would mean I would have to sacrifice performance, which is, unfortunately, not an option
  
  – Petter Nordlander
  Apr 20 '13 at 20:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How much performance are we talking about here? Have you done any sort of testing?
  
  – Nikolas Sakic
  Apr 21 '13 at 3:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes I have done. It's not really relevant, as I state in the question - I can get this working using the java connector (JSSE). My question is how to do it using the APR/openssl module.
  
  – Petter Nordlander
  Apr 21 '13 at 8:40
  

  
  
  
  

 | 
show 1 more comment

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f500629%2fverify-client-certificate-cn-in-tomcatapr%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

The above excerpt is from sever.xml file, right? I have a question, why are you not using your cacerts keystore in whichever JVM/JDK you are using? You're using this to grant https access to your application running on tomcat, right?

I'm surprised PEM format certs worked in TOMCAT. I have always had to convert PEM certs to DER format and then use it in TOMCAT.

I would suggest:

1. Create cert in your keystore /your/path/to/java/jre/lib/security/cacerts by using keytool binary that comes with your java installation. It is provided for you to put your java app on SSL.

OR

1. if you already have your CACERT.PEM, convert it to DER using openssl:

openssl x509 -inform PEM -in CACERT.PEM -outform DER -out CACERT.DER

2. use keytool to import the cert into your keystore.




3. edit server.xml and the way you go.

share|improve this answer

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  PEM should be fine, tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html uses pem in the example configuration. The question is not about how to import CA certs (this is working ok), but how to lock down the HTTPS connection to one single trusted client certificate.
  
  – Petter Nordlander
  Apr 19 '13 at 5:41
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is there no option for client-side cert in Connector element? We now there is clientAuth="true", using truststore: truststoreFile, truststorePass, and truststoreType. I haven't tested it yet but client certs go in the trustore keystore if clientAuth is set to true.
  
  – Nikolas Sakic
  Apr 20 '13 at 18:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I guess so. Those types does, however, not work with the APR connector. That would mean I would have to sacrifice performance, which is, unfortunately, not an option
  
  – Petter Nordlander
  Apr 20 '13 at 20:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How much performance are we talking about here? Have you done any sort of testing?
  
  – Nikolas Sakic
  Apr 21 '13 at 3:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes I have done. It's not really relevant, as I state in the question - I can get this working using the java connector (JSSE). My question is how to do it using the APR/openssl module.
  
  – Petter Nordlander
  Apr 21 '13 at 8:40
  

  
  
  
  

 | 
show 1 more comment

0

The above excerpt is from sever.xml file, right? I have a question, why are you not using your cacerts keystore in whichever JVM/JDK you are using? You're using this to grant https access to your application running on tomcat, right?

I'm surprised PEM format certs worked in TOMCAT. I have always had to convert PEM certs to DER format and then use it in TOMCAT.

I would suggest:

1. Create cert in your keystore /your/path/to/java/jre/lib/security/cacerts by using keytool binary that comes with your java installation. It is provided for you to put your java app on SSL.

OR

1. if you already have your CACERT.PEM, convert it to DER using openssl:

openssl x509 -inform PEM -in CACERT.PEM -outform DER -out CACERT.DER

2. use keytool to import the cert into your keystore.




3. edit server.xml and the way you go.

share|improve this answer

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  PEM should be fine, tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html uses pem in the example configuration. The question is not about how to import CA certs (this is working ok), but how to lock down the HTTPS connection to one single trusted client certificate.
  
  – Petter Nordlander
  Apr 19 '13 at 5:41
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is there no option for client-side cert in Connector element? We now there is clientAuth="true", using truststore: truststoreFile, truststorePass, and truststoreType. I haven't tested it yet but client certs go in the trustore keystore if clientAuth is set to true.
  
  – Nikolas Sakic
  Apr 20 '13 at 18:39
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I guess so. Those types does, however, not work with the APR connector. That would mean I would have to sacrifice performance, which is, unfortunately, not an option
  
  – Petter Nordlander
  Apr 20 '13 at 20:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  How much performance are we talking about here? Have you done any sort of testing?
  
  – Nikolas Sakic
  Apr 21 '13 at 3:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes I have done. It's not really relevant, as I state in the question - I can get this working using the java connector (JSSE). My question is how to do it using the APR/openssl module.
  
  – Petter Nordlander
  Apr 21 '13 at 8:40
  

  
  
  
  

 | 
show 1 more comment

The above excerpt is from sever.xml file, right? I have a question, why are you not using your cacerts keystore in whichever JVM/JDK you are using? You're using this to grant https access to your application running on tomcat, right?

I'm surprised PEM format certs worked in TOMCAT. I have always had to convert PEM certs to DER format and then use it in TOMCAT.

I would suggest:

1. Create cert in your keystore /your/path/to/java/jre/lib/security/cacerts by using keytool binary that comes with your java installation. It is provided for you to put your java app on SSL.

OR

1. if you already have your CACERT.PEM, convert it to DER using openssl:

openssl x509 -inform PEM -in CACERT.PEM -outform DER -out CACERT.DER

2. use keytool to import the cert into your keystore.




3. edit server.xml and the way you go.

share|improve this answer

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728

share|improve this answer

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728

answered Apr 19 '13 at 3:56

Nikolas SakicNikolas Sakic

45728