tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton Brazhnyk <a.brazh...@biconsulting.ws>
Subject RE: SSL Client authentication with standalone Tomcat
Date Tue, 26 Feb 2002 13:46:32 GMT
Hi Wolfgang,

> -----Original Message-----
> From: Wolfgang Stein [mailto:zorro@gmd-net.de]
> Sent: Tuesday, February 26, 2002 3:19 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: SSL Client authentication with standalone Tomcat
> 
> 
> Imagine an online banking system with some thousand clients
> 
> I can't believe that you have to import each
> client cert into the keystore file.
> 
> If you start tomcat with the -Djavax.net.debug=all option
> you should be able to verify that tomcat initially sends a list 
> of trusted CAs taken from the cacert file. 
> This file should contain one CA (or more) that signed 
> a client certificat signing request (or groups of them).
> 
> But Anton Brazhnyk's suggestion could be an alternative way.
> If anybody succeeded in establishing the ssl client cert handhake
> after importing client certs into the keystore file only,
> please let us know.
> 

Actually I meant importaing server certificate, since there wasn't
"-trustcacerts" in statement with "-alias tomcat".

And, well, I'm not sure again... :)
Client cert should be signed with sertificate of the server
(not just with CA certificate)

> 
> Gru?,
> Wolfgang
>  
> 
> Anton Brazhnyk wrote
> > ....
> > I'm not sure its necessary, but I'd import last certificate with 
> > following command:
> > 
> > 	keytool -import -trustcacerts -file my.crt -alias tomcat
> > ....
> 
> 
> Wolfgang Stein wrote:
> > ....
> > As far as i understand the client-auth handshake,
> > the server sends a list of trusted CAs to the client.
> >
> > This list is taken from
> > <JAVA_HOME_set_in_your_tomcat>\lib\security\cacerts
> > So you have to import your CA-cert into that file,
> > instead of your .keystore .
> > There is no need to import the client cert into cacerts or keystore.
> > ....
> 

Anton

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message