Mutual authentication with Tomcat

Mutual authentication with Tomcat (using a Local Certificate Authority)

This is a quick guide that will walk you through the setup of a secure SSL authentication. To achieve this, we will create a local certificate authority that will sign both server and client certificate

Install OpenSSL

If you’re running Linux chances are that you already have the binaries, if not a simple

apt-get install openssl

will do the job

(works for Debian/Ubuntu distrib)

If you’re under windows you could use Cygwin

Create new CA Authority

mkdir local_ca
mkdir local_ca/private
mkdri local_ca/public
cd local_ca
openssl req -new -x509 -days 3652 -sha1 -newkey rsa:1024 -keyout private/ca_private.key -out public/ca_public.crt -subj '/O=MyCompany/OU=Seccure Root CA' 

This will create the private and public key of our new Certificate Authority (Remember the PEM password, it will be necessary to all signing operations)

Create Server certificate

mkdir ~/local_ca/server
cd ~/local_ca/server
openssl genrsa -des3 -out server.key 1024

(Like the CA, we need to enter/remember the password used to create the server certificate, we will use it later)

In order to be signed with our local authority, we need to generate a Certificate Signing Request

openssl req -new -key server.key -out server.csr

You have to use the same password defined earlier to unlock the server private key, then you have to fill the information related to this server (Name, Organization etc.)

Now that we have our CSR we’re going to sign it using our CA

cd ~/local_ca
openssl x509 -req -days 360 -CA public/ca_public.crt -CAkey private/ca_private.key -CAcreateserial -in server/server.csr -out server/server.crt

Note that you have to enter the CA password and not the server password

This will sign the server public key (server.crt)

We have now a private key and a public key signed with a CA, in order to be able to use them by Tomcat, we have to store them within a JKS (JavaKeyStore) file, to do this first create a pkcs12 file with server.crt and server.key

cd ~/local_ca/
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12

We transform the pkcs12 into a JKS with this Java program

Download Jetty ( and copy the jar in your ~/local_ca/server directory

java -cp jetty-4.2.12.jar org.mortbay.util.PKCS12Import server.p12 server.jks

Create a certificate truststore for the server

Our server public key is signed with our local CA, in order for Tomcat to recognize our local CA, we have to create another JKS file that contain the public key of our local CA, we call it truststore

This is will tell Tomcat to trust certificates (including our own) signed (issued) with our local CA

Create a new keystore (empty keystore)

cd ~/local_ca/server
keytool -genkey -alias foo -keystore truststore.jks
keytool -delete -alias foo -keystore truststore.jks

Note: Keytool is a tool of the JVM

Once we have out empty truststore we’re going to added the local CA public key

cd ~/local_cd/server
keytool -import -alias root -keystore truststore.jks -trustcacerts -file ../public/ca_public.crt

To make sure that the certificate was added, you can list the installed certificate in the truststore

keytool -list -keystore truststore.jks

At this point we are done with the server certificates, we have our server.jks and truststore.jks that we’re going to install in Tomcat later, but before let’s create some client certificate

Create Client Certificate

cd ~/local_ca
mkdir clientcd client
openssl req -new -newkey rsa:1024 -nodes -out client.req -keyout client.key

As we did earlier with the server certificate, we’re going to sign the client certificate with our local CA

cd ~/local_ca/
openssl x509 -CA public/ca_public.crt -CAkey private/ca_private.key -req -in client/client.req -out client/client.pem -days 100

We put together the client’s private and public key into a PKCS12 file

cd ~/local_ca/client</span>
openssl pkcs12 -export -clcerts -in client.pem -inkey client.key -out client.p12 -name client

This is it, we have now a client certificate and a server certificate signed with our local CA.

Let’s put this all together under Tomcat

Create a directory under your tomcat conf , where we’re going to put our JKS files (mine is under <YOUR_TOMCAT_ROOT>/conf/certifs.)

Copy server.jks and truststore.jks

Open your Tomcat configuration file <YOUR_TOMCAT_ROOT>/conf/server.xml

Add the following connector

<Connector clientAuth=”true” protocol=”org.apache.coyote.http11.Http11Protocol” port=”8443″ minSpareThreads=”5″ maxSpareThreads=”75″ enableLookups=”true” disableUploadTimeout=”true”

Now your Tomcat is set to use a server certificate and require a client authentication


About nhachicha

Android Developer, share experience about Java, System and Android
This entry was posted in System and tagged , . Bookmark the permalink.

2 Responses to Mutual authentication with Tomcat

  1. Rygaar says:

    At last, an understandable guide to SSL configuration in Tomcat with mutual authentication !
    Short, clear, straight-forward, it really helped me clarify some confusions I had before reading this.

    Thanks a lot.

  2. Rahul Roy says:

    I completely agree with the previous comment. This article is a relief amidst all other confusing references. A hearty thank you for sharing this.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s