httpd in front of jboss, and ejbca certificate generation

I’m trying to set up httpd in front of jboss server, with client authentication using x.509 certs. I have followed this tutorial to create my own CA, server and client certs with openssl and it works.
Now I’m trying to generate certs using ejbca tool and not openssl, but I fail.
The certs I generate have something badly configured because when I try to use them I get ssl handshake error between apache and jboss, and in apache logs I can see

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server hello A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 2, subject: /CN=DEXXISCA/O=DEXXIS/C=FR, issuer: /CN=DEXXISCA/O=DEXXIS/C=FR

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 1, subject: /CN=DEXXIS-RND-CA/O=DEXXIS/C=FR, issuer: /CN=DEXXISCA/O=DEXXIS/C=FR

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1321): [client 10.55.160.194] Certificate Verification: depth: 0, subject: /CN=centralbase/O=DEXXIS/C=FR, issuer: /CN=DEXXIS-RND-CA/O=DEXXIS/C=FR

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server key exchange A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server certificate request A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read server done A

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1660): Proxy client certificate callback: (centralbase:443) entered

[Mon Jan 07 14:51:28 2013] [debug] ssl_engine_kernel.c(1705): Proxy client certificate callback: (centralbase:443) no client certificate found!?

Does anybody know what I need to configure in ejbca to get the certificate that will allow me to have ssl between apache and jboss (I’m using mod_proxy_http)?

Answer

Ok, I solved the problem. It appeared that ejbca generated jks files without all CA certs (just the root CA) – that’s why when subCA was used it did not work. After fixing the server jks file everything is ok.

Attribution
Source : Link , Question Author : Nadir , Answer Author : Nadir

Leave a Comment