Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 23731 invoked from network); 26 Feb 2002 13:47:44 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 26 Feb 2002 13:47:44 -0000 Received: (qmail 22254 invoked by uid 97); 26 Feb 2002 13:47:22 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 22199 invoked by uid 97); 26 Feb 2002 13:47:21 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 22184 invoked from network); 26 Feb 2002 13:47:20 -0000 Date: Tue, 26 Feb 2002 15:46:32 +0200 Message-ID: <3123845.1014731221467.JavaMail.nobody@db-portal.office> From: Anton Brazhnyk To: Tomcat Users List Subject: RE: SSL Client authentication with standalone Tomcat Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Hi Wolfgang, > -----Original Message----- > From: Wolfgang Stein [mailto:zorro@gmd-net.de] > Sent: Tuesday, February 26, 2002 3:19 PM > To: tomcat-user@jakarta.apache.org > Subject: Re: SSL Client authentication with standalone Tomcat > > > Imagine an online banking system with some thousand clients > > I can't believe that you have to import each > client cert into the keystore file. > > If you start tomcat with the -Djavax.net.debug=all option > you should be able to verify that tomcat initially sends a list > of trusted CAs taken from the cacert file. > This file should contain one CA (or more) that signed > a client certificat signing request (or groups of them). > > But Anton Brazhnyk's suggestion could be an alternative way. > If anybody succeeded in establishing the ssl client cert handhake > after importing client certs into the keystore file only, > please let us know. > Actually I meant importaing server certificate, since there wasn't "-trustcacerts" in statement with "-alias tomcat". And, well, I'm not sure again... :) Client cert should be signed with sertificate of the server (not just with CA certificate) > > Gru?, > Wolfgang > > > Anton Brazhnyk wrote > > .... > > I'm not sure its necessary, but I'd import last certificate with > > following command: > > > > keytool -import -trustcacerts -file my.crt -alias tomcat > > .... > > > Wolfgang Stein wrote: > > .... > > As far as i understand the client-auth handshake, > > the server sends a list of trusted CAs to the client. > > > > This list is taken from > > \lib\security\cacerts > > So you have to import your CA-cert into that file, > > instead of your .keystore . > > There is no need to import the client cert into cacerts or keystore. > > .... > Anton -- To unsubscribe: For additional commands: Troubles with the list: