Version 5

    How to set a up a demo with client certficates with mod_jk and Jboss authentications.


    On RHEL4 you have to use CA from the openssl rpm, CA is the certificate

    authority management tools of openssl.


    1 - Create a new CA:

        /usr/share/ssl/misc/CA -newca


    2 - Create a new request:

        /usr/share/ssl/misc/CA -newreq

        (that creates a file named newreq.pem)


    3 - Separe the request and the private key:

        Put key in key.pem and request in newreq.pem


    4 - Sign the request using the CA you created on 1:


        /usr/share/ssl/misc/CA -signreq


        (that creates a file named newcert.pem)



    5 - openssl pkcs12 -export -inkey key.pem -in newcert.pem -out test.p12

        test.p12 can be imported in the browser.


    6 - Import the client certificate (test.p12) in the browser.


    7 - Apache httpd has to know the CA created in 1 (otherwise it won't accept it).

        Add the CA certificate (demoCA/cacert.pem) to $APACHE_HOME/.../ca-bundle.crt

        or add in httpd.conf:


        SSLCACertificateFile $PATH_TO/demoCA/cacert.pem
        SSLVerifyClient require
        SSLOptions +StdEnvVars +ExportCertData



    8 - Configure mod_jk to get the certificate to Tomcat.

        in httpd.conf use:


        JkExtractSSL on
        JkOptions     +ForwardKeySize


    9 - Add the pub key to the Jbossas keystore, for example:


        keytool -import -alias jfclere -keystore ./server/default/conf/localhost.keystore -file $PATH_TO/newcert.pem


    10 - Check the Owner:


        keytool -v -list -alias jfclere -keystore ./server/default/conf/localhost.keystore

     , CN=support, OU=Jboss, O=Redhat, L=Neuchatel, ST=Neuchatel, C=CH


    11 - Create one entry like the following in server/default/conf/props/


    EMAILADDRESS\,\ CN\=support,\ OU\=Jboss,\ O\=Redhat,\ L\=Neuchatel,\ ST\=Neuchatel,\ C\=CH=JBossAdmin


    12 - For the rest follow BaseCertLoginModule.




    If you want to use openssl certificate files with keytool remember

    that the comments (text) before the certificate disturbe keytool otherwise you will the error message:


    keytool error: java.lang.Exception: Input not an X.509 certificate



    To use a self signed certificate for Apache httpd do the following:

  -newcert (creates 2 files: newcert.pem and newkey.pem).


    Use in httpd.conf:


    SSLCertificateKeyFile newkey.pem
    SSLCertificateFile newcert.pem


    Example of a minimal entry for ssl in httpd.conf:


    <IfModule ssl_module>
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    Listen 8443
    SSLPassPhraseDialog  builtin
    <VirtualHost _default_:8443>
    SSLEngine on
    SSLCertificateKeyFile _path_to_key/newkey.pem
    SSLCertificateFile _path_to_cert/newcert.pem