I'm running a tomcat installation with the APR libraries installed (with the OpenSSL HTTPS stack that comes with it).
What I'm trying to do is to lock a specific HTTPS connector down to users of a specific certificate. Adding client certificate verification is no issue, but I can't get it to validate against a specific Common name only.
I was perhaps a bit naïve and thought the mod_ssl attribute SSLRequire
typically used in Apache Httpd would work, but that property is not recognized by the Tomcat implementation. (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support points to some mod_ssl docs, but the Tomcat implementation does not seem to cover all aspects of mod_ssl).
I can get this to work by using the Java version of the connector instead of APR (losing some performance) and just add a trust store with that one certificate in it. However, using openssl without the SSLRequire expressions, I'm not sure how to do this with Tomcat7 (on Windows if that matters).
<Connector
protocol="HTTP/1.1"
port="443" maxThreads="150"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="mycert.pem"
SSLCertificateKeyFile="privkey.pem"
SSLCACertificateFile="CABundle.pem"
SSLVerifyClient="require" SSLProtocol="TLSv1" SSLRequire="(%{SSL_CLIENT_S_DN_CN} eq "host.example.com")"/>
Can you suggest a way to make this work using Tomcat/APR/OpenSSL?
Best Answer
The above excerpt is from sever.xml file, right? I have a question, why are you not using your cacerts keystore in whichever JVM/JDK you are using? You're using this to grant https access to your application running on tomcat, right?
I'm surprised PEM format certs worked in TOMCAT. I have always had to convert PEM certs to DER format and then use it in TOMCAT.
I would suggest:
OR
openssl x509 -inform PEM -in CACERT.PEM -outform DER -out CACERT.DER
use keytool to import the cert into your keystore.
edit server.xml and the way you go.