Search code examples
tomcatsslapr

tomcat ssl apr x509

This is my first question in this forum, please accept my apologies for any mistake in advance. I have a problem configuring tomcat with SSL and APR.

Context: tomcat 7, Java 7, OpenSSL, a couple of valid x509 certificates.

My https connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
           SSLVerifyClient="require" SSLVerifyDepth="3"
           SSLCertificateFile="${catalina.home}/security/server.pem"
           SSLCertificateKeyFile="${catalina.home}/security/server.key"
           SSLCertificateChainFile="${catalina.home}/security/trust.pem"
           SSLCACertificateFile="${catalina.home}/security/trust_ca.pem"
           />

PKI tree:

ROOT -> CA_intermediate -> CA4Servers -> server (tomcat)
                                      -> serv2Cert
                        -> CA4People  -> people1Cert

A windows pc client with 2 certificates in windows keystore (Windows-MY): people1Cert and serv2Cert

trust.pem include ROOT, CA_intermediate, CA4Servers and tomcat pem encoded public key. trust_ca.pem all of trust.pem but tomcat cert.

What I want: Go to https://tomcat.server:8443/, browser presents me the certificate chooser dialog with ONE certificate: serv2Cert, I select it and get into the web page succesfully. If I select another certificate, server presents me an error page.

My problem: When I get the certificate chooser dialog, I see 2 certs: serv2Cert and people1Cert (?). Both of them let me go to the web page! If I change SSLVerifyDepth or trust_ca.pem to limit the client certificates to only serv2Cert, I get SSL errors like unknown ca or unknown certificate

I've already tried with some SSLVerifyDepth values like 1,2,3,4. Only "3" let me log into the server. If I remove all CA certs from trust_ca.pem but ROOT, let me login with both client certificates (people1Cert and serv2Cert).

I will apreciate any help about this, sorry for my poor english, thank you in advance. Best regards.

Solution

  • You can't do this with Tomcat. It is very inflexible about SSL. Note that you are configuring for the entire Tomcat container, not a single web app. I recommend you put an Apache HTTP in front of Tomcat, i.e. as a reverse proxy. Apache HTTPD lets you configure every aspect of SSL, including acceptable client identities, right down to the level of individual directories.