So far attempts to setup user certs using Dogtag CA fail, while self-signed Client Certificates work fine.

The end goal is to have tomcat pass a user cert to an application, which will authenticate and bypass the initial login screen.

 

The details,

Dogtag 9.0 installed on a CentOS 6.4 server

Server cert is set up correctly in the local keystore and the tomcat server.xml is configured

 

        <Connector SSLEnabled="true"

 

                   maxThreads="150"

                   maxSpareThreads="75"

                   minSpareThreads="25"

                   acceptCount="100"

                   clientAuth="true"

                   disableUploadTimeout="true"

 

                   enableLookups="false"

                   maxHttpHeaderSize="8192"

                   URIEncoding="UTF-8"

 

                   keyAlias="tomcat"

                   keystoreFile="/opt/SSL-keystore.jks"

                   keystorePass="PKI-server-cert"

                   keystoreType="JKS"

                   truststoreFile="/opt/SSL-truststore.p12"

                   truststorePass="PKI-CA-cert"

                   truststoreType="PKCS12"

                   port="8443"

                   scheme="https"

                   secure="true"

                   sslProtocol="TLS"/>

 

This works correctly with a self-signed user cert, the browser requests a user cert before displaying the initial login screen.

The next step is to create a truststore entry referencing Dogtag's CA certificate and user cert.

 

Searching the web for dogtag user certs, openssl and Fedora/user documentation has not yielded any detailed User Guides or user notes.

Both the Admin and Agent Guide were useful for defining admin and agent usage, but did not provide detailed information on importing a cert

authority into a truststore or using the truststore to sign an X509 client certificate.

Once the client certificate handshake is established, can tomcat parse the certificate or would apache mod_SSL be a better choice?

Finally can/should the application use an openssl ocsp call to validate the certificate?

 

At this point, I'm not knowledgeable enough with PKI and Dogtag to define a workable solution.

Have I missed some essential documentation?

Has anyone found or written any Dogtag User Notes or have references to Dogtag usage?

 

Any recommendations would be appreciated.

 

Chris Grijalva
Configuration Management | Data Fusion & Analytics

Sotera Defense Solutions, Inc.

o: 512.814.0186

c: 713.291.2215

f:  512.814.0308
e: chris.grijalva@soteradefense.com
w: www.soteradefense.com

Potomac Fusion, LLC is now the Data Fusion & Analytics business of Sotera Defense Solutions