Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / October 2003

Tip: Looking for answers? Try searching our database.

Certificates and IE

Thread view: 
Enable EMail AlertsStart New Thread
Digby - 05 Oct 2003 13:18 GMT
Hi,

(Apologies if this is slightly off-topic). I'm trying to set up client
certificate authentication on my Tomcat server, where I am the Certificate
Authority and am signing my own certs (using keytool and a 3rd party CA
app).

I've got server authentication working okay, using a server cert issued by
my CA. Then I created a client cert, again signed by my CA, and have
successfully imported the .p12 file into IE. I've also added the CA cert to
the trusted CAs in IE and to cacerts in %java_home%\jre\lib\security.

So the personal cert is listed under options, but I when I switch on client
authentication in Tomcat, IE prompts me with an empty list of certificates
to choose from.

I guess IE doesn't match the server cert with my client cert, although
theyr'e both signed by the same CA How do I tell IE that they do match?

TIA

Dig
Reply to this Message
Roedy Green - 05 Oct 2003 20:19 GMT
> again signed by my CA, and have
>successfully imported the .p12 file into IE.

What happens if you import your master public key as a cert authority
and import the certs you issue as certs into IE?

How does IE know which certs are being imported for code-signing and
which for authentication? Are they different kinds of cert?

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Digby - 05 Oct 2003 21:59 GMT
> > again signed by my CA, and have
> >successfully imported the .p12 file into IE.
>
> What happens if you import your master public key as a cert authority
> and import the certs you issue as certs into IE?

That's basically what I've done. The certificate is valid up the chain, and
the issuing certificate has the same digest as the cert I added as an
authority

> How does IE know which certs are being imported for code-signing and
> which for authentication? Are they different kinds of cert?

Not sure abut this one - it looks like my cert is authorised to do anything
in IE.

Thanks.

Digby
Reply to this Message
Roedy Green - 05 Oct 2003 22:33 GMT
>That's basically what I've done. The certificate is valid up the chain, and
>the issuing certificate has the same digest as the cert I added as an
>authority

I have no experience with authenication certs.  So take everything I
say with a large grain of salt.

There is something a bit strange here.  Would not an authentication
cert need a private key included to work? The certs you are importing
would have only a public key.

Perhaps there has to be some process where the private key is
generated in IE, the public key exported and signed and reimported,
much the way you would do with a code-signing cert.

I don't think there is a way to even export the private key from a
keystore cert, at least with keytool.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Digby - 06 Oct 2003 00:05 GMT
I'm using another tool to export the .p12 file. It's called KeyTool GUI, and
appears to export the private key amd user cert okay.

> >That's basically what I've done. The certificate is valid up the chain, and
> >the issuing certificate has the same digest as the cert I added as an
[quoted text clipped - 18 lines]
> Coaching, problem solving, economical contract programming.
> See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Michel Gallant - 06 Oct 2003 15:52 GMT
When IE is connected to a server via SSL protocol and the
server is configured to require client authentication, then IE
will only present you local certificate that:
- are in the Current User MY certificate store
- certificate must be time valid
- issuer of cert must be in local client trusted root CA list
- issuer of cert must be in the server trusted root CA (depends on server config)

I have generated test S/MIME certs using MS PSDK tool   makecert.exe and
these work properly with IIS5 (haven't checked yet with Tomcat ..).
With IIS5 these self-signed test certificates are ONLY shown to the client if
the IIS server machine has the public (self) cert also in the Local Machine Trusted
Root cert store.

Not sure about the *minimum* requirements of the client certificate in terms
of what Extensions (key restrictions etc..) are required, but I *think* when the
cert/keys are generated or imported into IE, they need to be marked in CryptoAPI
as AT_KEYEXCHANGE  (since IE uses CryptoAPI for all cert handling)
but the following cert generation command works for test purposes:

makecert -pe -sp "Microsoft Enhanced Cryptographic Provider v1.0"
     -sky Exchange -r -n "E=youremail@yourdomand.bla,CN=MY CN" -ss MY

Generates an exportable (pe) and 1024 bit RSA key pair (Enhanced provider) marked
as type AT_KEYEXCHANGE  and self-signed (-r) with SubjectName field (-n) as
shown and adds to the Current User MY certificate store (only one searched by IE for client certs).

- Michel Gallant
  Visual Security MVP
  http://pages.istar.ca/~neutron

> I'm using another tool to export the .p12 file. It's called KeyTool GUI, and
> appears to export the private key amd user cert okay.
[quoted text clipped - 27 lines]
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.522 / Virus Database: 320 - Release Date: 30/09/2003
Reply to this Message
Roedy Green - 05 Oct 2003 23:19 GMT
>Not sure abut this one - it looks like my cert is authorised to do anything
>in IE.

I suspect you need an email or SSL type cert for authentication.

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message
Roedy Green - 05 Oct 2003 23:26 GMT
>I suspect you need an email or SSL type cert for authentication.

Unfortunately certs don't have headers telling you what they are.

I guess they did not want anyone trusting such information.

Does anyone know the typical extensions for email certs, SSL certs and
what formats they come in.  I would like to complete the table at
http://mindprod.com/jgloss/certificate.html

--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.