SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

All others add-ons (Secure FTP, SCP, Flickr, scripts ...).

SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby havaml » Mon Oct 27, 2008 6:22 pm

please excuse my naivety on JAVA keystore, but is that simply just a folder where the public, and private keys are stored on my client PC. I have both certs sitting in a folder on my PC, do I just give that folder name / path in step 2 definition, or is there a special keystore folder or container that needs to be established where the certs reside?
thanks for the bit of clarification...
Mike
havaml
 
Posts: 3
Joined: Mon Oct 27, 2008 6:21 pm

Re: SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby support » Mon Oct 27, 2008 6:31 pm

You need a .pfx or .p12 file as Java keystore. It stands for PKCS#12 security standard. Such file includes both private/public key for client certificate authentication. You can export such .p12 from Internet Explorer: Options -> Content -> Certificates -> Personal -> Export
Protect this .12 file with a password when exporting.
User avatar
support
 
Posts: 1501
Joined: Sun Jan 27, 2008 6:19 pm

Re: SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby havaml » Mon Oct 27, 2008 7:59 pm

WHEN I DO STEP 3 in the below reccomended procedure...... I get a cacerts is not a legal command error... Am i missing something?
===========
FTPS with Client certificate - Weak SSL
[url]http://www.jfileupload.com/support/forums/viewtopic.php?f=8&t=117
[/url]

Deme, let's continue the FTPS discussion here as it could be useful for everyone.

There is a bug in WeakSSL 2.0 that makes client certificate sent to server on SSL handshake fail. However, I've just made it works without WeakSSL. Here are instructions if you want to try it:

1/ Remove WeakSSL.
Remove lib/weakssl.jar into all ARCHIVE parameter.
Remove the following parameter too:
<PARAM NAME="param6" VALUE="weakssl">
<PARAM NAME="value6" VALUE="true">

2/ Force user's Java keystore to be your PKCS12 file.
Open the Java control panel.
Start-> Control Panel -> Java -> Java tab -> Runtime parameters.
Add the following parameters:
-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=c:/tmp/deme.p12 -Djavax.net.ssl.keyStorePassword=xxxxxxx
(Replace xxxxx by the pass phrase)

3/ Import your self-signed CA certificate in Java trust store.
Into C:\Program Files\Java\jre1.6.0_06\lib\security:
a) Backup cacerts
b) Run the following command
C:\Program Files\Java\jre1.6.0_06\bin>keytool -import -trustcacerts
-file ca.crt -keystore ../lib/security/cacerts -storepass changeit

Then run the applet in your browser and you should upload working fine with your FTPS server.

I'm going to see how to fix the WeakSSL issue to avoid step2 and step3. Do you plan to use a trusted root certificate (such as Verisign, Thawte ...) or only self-signed when you will be in production ?
havaml
 
Posts: 3
Joined: Mon Oct 27, 2008 6:21 pm

Re: SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby havaml » Mon Oct 27, 2008 8:36 pm

never mind fixed that problem, keyin error... but now when I run step 3 in recommended procedure keyed in corectly... I get---> key tool error: java.io.FileNotFoundException :ca.crt <the system cannot find the file specified>
havaml
 
Posts: 3
Joined: Mon Oct 27, 2008 6:21 pm

Re: SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby support » Tue Oct 28, 2008 7:35 am

ca.cert is a file containing the signer certificate of the client certificate. Do you have this file ?
Who did sign the client certificate ? Verisign, Thawte ? or are you using a self signed certificate ?
User avatar
support
 
Posts: 1501
Joined: Sun Jan 27, 2008 6:19 pm

Re: SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby support » Sun Nov 02, 2008 3:03 pm

We've just released WeakSSL 2.2 at:
http://www.jfileupload.com/products/tools/index.html

If you install it you should get rid of step #3.

I hope it helps.
User avatar
support
 
Posts: 1501
Joined: Sun Jan 27, 2008 6:19 pm

Re: SUPPORT FOR CLIENT SSL CERTIFICATE AUTHENTICATION

Postby sowmiya » Thu Aug 13, 2009 4:36 am

Thanks for this post providing the SSl certificate authentication installation steps.
sowmiya
 
Posts: 1
Joined: Thu Aug 13, 2009 4:28 am


Return to Others



cron

Sitemap | Privacy Statement | Java and all Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc.
in the U.S. and other countries. All other company and/or product names are the property of their respective owners.