tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Krug <tom...@krugs.org>
Subject Re: Tomcat and CRL(s) Certification Revocation Lists
Date Wed, 10 May 2006 17:57:08 GMT
Fri, May 05, at 04:31:PM : Jack has proclaimed:
> I have already gotten Tomcat to work with a (single) CRL, and as it
> was a bit of a struggle have placed some info for those trying to do
> this at [1]. The document is far from perfect, and any comments are
> welcome.
> 
> [1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl

Thanks for this page.  I am not using JBoss, but it has been useful.  I
have client certificate authentication working correctly, but I cannot
seem to get CRLs to work.  

I built my CRL by executing:

$openssl ca -batch -gencrl -crldays 30 -out crl.pem

This way every user certificate I revoke can be packaged in a single
CRL. Is this type of CRL legitimate for use in Tomcat?

I rebuilt tomcat-util.jar based on the directions in this message from
the mailing list:

http://threebit.net/mail-archive/tomcat-users/msg00121.html

(I can't seem to connect to the official archive, hence the link to a
3rd party copy of that email)

I am using Tomcat 5.5.17 on Linux (no Apache).  My connector (in the
server.xml file) is:

<Connector port="443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="true" sslProtocol="TLS"
           keystoreType="PKCS12" crlFile="/ca/crl/crl.pem"
           keystoreFile="/ca/ssl/idp.p12"
           keystorePass="######"
          />


Is there a way to turn on sufficient debugging within Tomcat so that I
can try and figure out what is failing.  I don't see any error messages
in my tomcat.log file at all.  I don't know if it is even trying to
parse the crlFile, failing to parse the file, or if it is failing later
to recognize the certificate is revoked.

Thanks,
Jeff Krug


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message