tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Krug <>
Subject Re: Tomcat and CRL(s) Certification Revocation Lists
Date Wed, 10 May 2006 17:57:08 GMT
Fri, May 05, at 04:31:PM : Jack has proclaimed:
> I have already gotten Tomcat to work with a (single) CRL, and as it
> was a bit of a struggle have placed some info for those trying to do
> this at [1]. The document is far from perfect, and any comments are
> welcome.
> [1]

Thanks for this page.  I am not using JBoss, but it has been useful.  I
have client certificate authentication working correctly, but I cannot
seem to get CRLs to work.  

I built my CRL by executing:

$openssl ca -batch -gencrl -crldays 30 -out crl.pem

This way every user certificate I revoke can be packaged in a single
CRL. Is this type of CRL legitimate for use in Tomcat?

I rebuilt tomcat-util.jar based on the directions in this message from
the mailing list:

(I can't seem to connect to the official archive, hence the link to a
3rd party copy of that email)

I am using Tomcat 5.5.17 on Linux (no Apache).  My connector (in the
server.xml file) is:

<Connector port="443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="true" sslProtocol="TLS"
           keystoreType="PKCS12" crlFile="/ca/crl/crl.pem"

Is there a way to turn on sufficient debugging within Tomcat so that I
can try and figure out what is failing.  I don't see any error messages
in my tomcat.log file at all.  I don't know if it is even trying to
parse the crlFile, failing to parse the file, or if it is failing later
to recognize the certificate is revoked.

Jeff Krug

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message