tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Tomcat and CRL(s) Certification Revocation Lists
Date Sat, 06 May 2006 19:07:19 GMT

>"Jack" <> wrote in message 
>I have already gotten Tomcat to work with a (single) CRL, and as it
>was a bit of a struggle have placed some info for those trying to do
>this at [1]. The document is far from perfect, and any comments are
>Now to the questions:
>1. Is it possible to swap out the CRL (ie overwrite it with a newer
>one) and have the changes picked up without a restart?

Not currently.  The CRL list is read at startup, and handed off to the 

>1.a. if a restart is needed is it enough to restart Tomcat or jboss be

Actually, just the Connector needs to be restarted (so Tomcat in your case).

>2. Is it possible to use multiple CRLs (by pointing at a directory for 

Not currently.  Tomcat just takes a single file at the moment.

>2.a. if so would changes to this directory be dynamically read?

To avoid bouncing the Connector, it would require a specialized CertStore 
implementation.  Neither "Collection" or "LDAP" (which Tomcat doesn't 
currently support either :) really do what you want.

>2.b. if not where is a good place (for me) to start looking at how to
>implement this?

All of the CRL code is in (found under 
connectors/util in the source distro).  Knock yourself out ;-).

>I would like to somehow have dynamic CRL loading (so something that
>can do this without restarting either jboss or tomcat). I am not picky
>as to it being a single CRL or a directory of same.
>The claim "natural" is not synonymous with safe.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message