tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jack <>
Subject Re: Tomcat and CRL(s) Certification Revocation Lists
Date Thu, 11 May 2006 07:36:31 GMT
Hi Jeff,

you have the keystore type set as PKCS12 even though the CRL is a PEM
format file (and hence not PKCS12 format).
PKCS12 contains the private key as well as the cert and public key -
which is not applicable for the CRL file so this might be why it is
getting confused.

You could try removing the keystoreType field and building the
keystores as described on my page (as the method described there
definitely works).

> <Connector port="443" maxHttpHeaderSize="8192"
>            maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>            enableLookups="false" disableUploadTimeout="true"
>            acceptCount="100" scheme="https" secure="true"
>            clientAuth="true" sslProtocol="TLS"
>            keystoreType="PKCS12" crlFile="/ca/crl/crl.pem"
>            keystoreFile="/ca/ssl/idp.p12"
>            keystorePass="######"
>           />

  <!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
    <Connector port="8443" address="${jboss.bind.address}"
        maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
        scheme="https" secure="true" clientAuth="true"
        sslProtocol = "TLS"
        crlFile="${jboss.server.home.dir}/conf/server.crlFile"  />

On 10/05/06, Jeff Krug <> wrote:
> Fri, May 05, at 04:31:PM : Jack has proclaimed:
> > I have already gotten Tomcat to work with a (single) CRL, and as it
> > was a bit of a struggle have placed some info for those trying to do
> > this at [1]. The document is far from perfect, and any comments are
> > welcome.
> >
> > [1]
> Thanks for this page.  I am not using JBoss, but it has been useful.  I
> have client certificate authentication working correctly, but I cannot
> seem to get CRLs to work.
> I built my CRL by executing:
> $openssl ca -batch -gencrl -crldays 30 -out crl.pem
> This way every user certificate I revoke can be packaged in a single
> CRL. Is this type of CRL legitimate for use in Tomcat?

If it is a standard format CRL I would think so.

> Is there a way to turn on sufficient debugging within Tomcat so that I
> can try and figure out what is failing.  I don't see any error messages
> in my tomcat.log file at all.  I don't know if it is even trying to
> parse the crlFile, failing to parse the file, or if it is failing later
> to recognize the certificate is revoked.

Again not sure on this point. I went with the prolonged trial and
error method :(


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message