tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Víctor Torres - UPF <victor.tor...@upf.edu>
Subject Re: problem with truststoreFile in server.xml
Date Wed, 25 Oct 2006 09:21:57 GMT
Have a look at the attached keystore. It contains 2 certificates. In the txt 
file you can find the contents. Each cert is identified by a localKeyID, 
which is different. This store does not contain private keys.

I say that truststoreFile should not contain private keys. Imagine that you 
want to trust on clients which are signed by e.g. Verisign CA 1. Then, you 
cannot add Verisign CA 1 private key to your truststore, obviously, because 
it is secret. Moreover, to verify that a certificate is issued by Verisign 
you only need to check the client certificate signature with Verisign PUBLIC 
key, which is is included in the certificate. That's why truststoreFile 
should not contain private keys. In fact, openSSL has something similar to 
truststoreFile ehich contains CA certificates (only certificates).

Any other comments?

Regards.

----- Original Message ----- 
From: "Martin Gainty" <mgainty@hotmail.com>
To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres - UPF" 
<victor.torres@upf.edu>
Sent: Tuesday, October 24, 2006 8:25 PM
Subject: Re: problem with truststoreFile in server.xml


> Which other algorithm do you suggest to uniquely identify the cert 
> contained within the keystore?
> a sequence number?
> a reference to an object?
>
> The key (which is tied to the cert) uniquely identifies that particular 
> cert in your keystore file
>
> Saludos Cordiales!
> M-
> This e-mail communication and any attachments may contain confidential and 
> privileged information for the use of the
> designated recipients named above. If you are not the intended recipient, 
> you are hereby notified that you have received
> this communication in error and that any review, disclosure, 
> dissemination, distribution or copying of it or its
> contents
> ----- Original Message ----- 
> From: "Víctor Torres - UPF" <victor.torres@upf.edu>
> To: "Tomcat Users List" <users@tomcat.apache.org>; "Martin Gainty" 
> <mgainty@hotmail.com>
> Sent: Tuesday, October 24, 2006 11:55 AM
> Subject: Re: problem with truststoreFile in server.xml
>
>
>> Thanks, but this does not solve my problem.
>> What I can see in your directions is that you are using JKS keystore and 
>> you
>> are importing the certificate and the private key.
>> What I was saying is that it should NOT be necessary to import the 
>> private
>> keys into a truststoreFile. In fact, when I use as truststoreFile a 
>> PKCS12
>> with the certificate and private key it works. It fails when the PKCS12 
>> only
>> contains the certificate. This seems to me strange.
>>
>> Any other suggestions?
>>
>>
>> ----- Original Message ----- 
>> From: "Martin Gainty" <mgainty@hotmail.com>
>> To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres - UPF"
>> <victor.torres@upf.edu>
>> Sent: Tuesday, October 24, 2006 5:41 PM
>> Subject: Re: problem with truststoreFile in server.xml
>>
>>
>>> Hello Victor-
>>>
>>> you may want to follow the directions on how to create an empty keystore
>>> and then import Import the private key/certificate chain into the java
>>> keystore using extkeytool
>>> http://www.switch.ch/aai/certificates/certificateupdate.html
>>>
>>> then take a look at the keys afterwards at
>>> keytool -v -list -keystore www.example.edu.jks
>>>
>>> Anyone else?
>>> M--
>>> This e-mail communication and any attachments may contain confidential 
>>> and
>>> privileged information for the use of the
>>> designated recipients named above. If you are not the intended 
>>> recipient,
>>> you are hereby notified that you have received
>>> this communication in error and that any review, disclosure,
>>> dissemination, distribution or copying of it or its
>>> contents
>>> ----- Original Message ----- 
>>> From: "Víctor Torres - UPF" <victor.torres@upf.edu>
>>> To: <users@tomcat.apache.org>
>>> Sent: Tuesday, October 24, 2006 9:14 AM
>>> Subject: problem with truststoreFile in server.xml
>>>
>>>
>>>> Dear all,
>>>>
>>>> I have configured my Tomcat 5.5.17 to require SSL client 
>>>> authentication.
>>>> For
>>>> this purpose, I have stored my root CA certificate into a PKCS12 
>>>> keystore
>>>> which I use as truststoreFile by configuring server.xml. This CA
>>>> certificate
>>>> is used to sign user certificates that I want to be trusted.
>>>>
>>>> The problem I have is the following:
>>>> - truststoreFile (PKCS12) contains root CA certificate + private key ->
>>>> everything works perfectly.
>>>> - truststoreFile (PKCS12) contains root CA certificate -> clients 
>>>> cannot
>>>> connect.
>>>>
>>>> truststoreFile should not contain private keys, so why does Tomcat 
>>>> behave
>>>> in
>>>> this way?
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> 

Mime
View raw message