tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject How to invalidate an SSL client certificate
Date Wed, 03 Oct 2001 16:06:51 GMT


I am planning to use SSL client certificates with Tomcat standalone I am
wondering if there is a way to invalidate a client certificate to cover for the
(hopefully) rare event the device on which it resides gets lost or stolen.

As far as I understand the SSL protocol specifies an optional step during client
authentication involving an LDAP lookup. If this is the way to do it should i
set up some kind of LDAP-realm in server.xml?

At this moment user registrations are kept in the application's database itself
(and not on an LDAP server), so if it would be possible to retrieve the name of
the user as mentioned in the certificate that would be real helpful. However i
can not find the method in the servlet api nor in the specification.



View raw message