tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wolfgang Stein <zo...@gmd-net.de>
Subject Re: SSL Client authentication with standalone Tomcat
Date Tue, 26 Feb 2002 13:18:41 GMT
Imagine an online banking system with some thousand clients

I can't believe that you have to import each
client cert into the keystore file.

If you start tomcat with the -Djavax.net.debug=all option
you should be able to verify that tomcat initially sends a list 
of trusted CAs taken from the cacert file. 
This file should contain one CA (or more) that signed 
a client certificat signing request (or groups of them).

But Anton Brazhnyk's suggestion could be an alternative way.
If anybody succeeded in establishing the ssl client cert handhake
after importing client certs into the keystore file only,
please let us know.


Gruß,
Wolfgang
 

Anton Brazhnyk wrote
> ....
> I'm not sure its necessary, but I'd import last certificate with 
> following command:
> 
> 	keytool -import -trustcacerts -file my.crt -alias tomcat
> ....


Wolfgang Stein wrote:
> ....
> As far as i understand the client-auth handshake,
> the server sends a list of trusted CAs to the client.
>
> This list is taken from
> <JAVA_HOME_set_in_your_tomcat>\lib\security\cacerts
> So you have to import your CA-cert into that file,
> instead of your .keystore .
> There is no need to import the client cert into cacerts or keystore.
> ....

--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message