tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Víctor Torres - UPF <victor.tor...@upf.edu>
Subject Re: problem with truststoreFile in server.xml
Date Wed, 25 Oct 2006 15:44:03 GMT
Hi Martin, all,

This is what I use:

    <Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               keystoreFile="C:\server.p12"
               keystorePass="password" keystoreType="PKCS12"
               truststoreFile="C:\root.p12"
               truststorePass="password" truststoreType="PKCS12"/>

The keystore.p12 I sent in my previous mail was just an example with empty 
password of how to insert 2 certificates.
Form my experience, Tomcat does not accept PKCS12 with empty password as 
keystore nor as truststore.
The real PKCS12 truststoreFile I use contains only 1 cert (fails) or 
cert+privatekey (works).
Regards.

----- Original Message ----- 
From: "Martin Gainty" <mgainty@hotmail.com>
To: "Víctor Torres - UPF" <victor.torres@upf.edu>; "Tomcat Users List" 
<users@tomcat.apache.org>
Cc: <michael.courcy@gmail.com>
Sent: Wednesday, October 25, 2006 4:16 PM
Subject: Re: problem with truststoreFile in server.xml


> Hello Victor-
>
> since we're talking about Tomcat and we want to keep this thread on topic
> how would you integrate your trustStoreFile to the connector definition in 
> server.xml?
>
> Saludos,
> M
> This e-mail communication and any attachments may contain confidential and 
> privileged information for the use of the
> designated recipients named above. If you are not the intended recipient, 
> you are hereby notified that you have received
> this communication in error and that any review, disclosure, 
> dissemination, distribution or copying of it or its
> contents
> ----- Original Message ----- 
> From: "Víctor Torres - UPF" <victor.torres@upf.edu>
> To: "Tomcat Users List" <users@tomcat.apache.org>; "Martin Gainty" 
> <mgainty@hotmail.com>
> Cc: <michael.courcy@gmail.com>
> Sent: Wednesday, October 25, 2006 5:21 AM
> Subject: Re: problem with truststoreFile in server.xml
>
>
>> Have a look at the attached keystore. It contains 2 certificates. In the 
>> txt
>> file you can find the contents. Each cert is identified by a localKeyID,
>> which is different. This store does not contain private keys.
>>
>> I say that truststoreFile should not contain private keys. Imagine that 
>> you
>> want to trust on clients which are signed by e.g. Verisign CA 1. Then, 
>> you
>> cannot add Verisign CA 1 private key to your truststore, obviously, 
>> because
>> it is secret. Moreover, to verify that a certificate is issued by 
>> Verisign
>> you only need to check the client certificate signature with Verisign 
>> PUBLIC
>> key, which is is included in the certificate. That's why truststoreFile
>> should not contain private keys. In fact, openSSL has something similar 
>> to
>> truststoreFile ehich contains CA certificates (only certificates).
>>
>> Any other comments?
>>
>> Regards.
>>
>> ----- Original Message ----- 
>> From: "Martin Gainty" <mgainty@hotmail.com>
>> To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres - UPF"
>> <victor.torres@upf.edu>
>> Sent: Tuesday, October 24, 2006 8:25 PM
>> Subject: Re: problem with truststoreFile in server.xml
>>
>>
>>> Which other algorithm do you suggest to uniquely identify the cert
>>> contained within the keystore?
>>> a sequence number?
>>> a reference to an object?
>>>
>>> The key (which is tied to the cert) uniquely identifies that particular
>>> cert in your keystore file
>>>
>>> Saludos Cordiales!
>>> M-
>>> This e-mail communication and any attachments may contain confidential 
>>> and
>>> privileged information for the use of the
>>> designated recipients named above. If you are not the intended 
>>> recipient,
>>> you are hereby notified that you have received
>>> this communication in error and that any review, disclosure,
>>> dissemination, distribution or copying of it or its
>>> contents
>>> ----- Original Message ----- 
>>> From: "Víctor Torres - UPF" <victor.torres@upf.edu>
>>> To: "Tomcat Users List" <users@tomcat.apache.org>; "Martin Gainty"
>>> <mgainty@hotmail.com>
>>> Sent: Tuesday, October 24, 2006 11:55 AM
>>> Subject: Re: problem with truststoreFile in server.xml
>>>
>>>
>>>> Thanks, but this does not solve my problem.
>>>> What I can see in your directions is that you are using JKS keystore 
>>>> and
>>>> you
>>>> are importing the certificate and the private key.
>>>> What I was saying is that it should NOT be necessary to import the
>>>> private
>>>> keys into a truststoreFile. In fact, when I use as truststoreFile a
>>>> PKCS12
>>>> with the certificate and private key it works. It fails when the PKCS12
>>>> only
>>>> contains the certificate. This seems to me strange.
>>>>
>>>> Any other suggestions?
>>>>
>>>>
>>>> ----- Original Message ----- 
>>>> From: "Martin Gainty" <mgainty@hotmail.com>
>>>> To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres
- 
>>>> UPF"
>>>> <victor.torres@upf.edu>
>>>> Sent: Tuesday, October 24, 2006 5:41 PM
>>>> Subject: Re: problem with truststoreFile in server.xml
>>>>
>>>>
>>>>> Hello Victor-
>>>>>
>>>>> you may want to follow the directions on how to create an empty 
>>>>> keystore
>>>>> and then import Import the private key/certificate chain into the java
>>>>> keystore using extkeytool
>>>>> http://www.switch.ch/aai/certificates/certificateupdate.html
>>>>>
>>>>> then take a look at the keys afterwards at
>>>>> keytool -v -list -keystore www.example.edu.jks
>>>>>
>>>>> Anyone else?
>>>>> M--
>>>>> This e-mail communication and any attachments may contain confidential
>>>>> and
>>>>> privileged information for the use of the
>>>>> designated recipients named above. If you are not the intended
>>>>> recipient,
>>>>> you are hereby notified that you have received
>>>>> this communication in error and that any review, disclosure,
>>>>> dissemination, distribution or copying of it or its
>>>>> contents
>>>>> ----- Original Message ----- 
>>>>> From: "Víctor Torres - UPF" <victor.torres@upf.edu>
>>>>> To: <users@tomcat.apache.org>
>>>>> Sent: Tuesday, October 24, 2006 9:14 AM
>>>>> Subject: problem with truststoreFile in server.xml
>>>>>
>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> I have configured my Tomcat 5.5.17 to require SSL client
>>>>>> authentication.
>>>>>> For
>>>>>> this purpose, I have stored my root CA certificate into a PKCS12
>>>>>> keystore
>>>>>> which I use as truststoreFile by configuring server.xml. This CA
>>>>>> certificate
>>>>>> is used to sign user certificates that I want to be trusted.
>>>>>>
>>>>>> The problem I have is the following:
>>>>>> - truststoreFile (PKCS12) contains root CA certificate + private

>>>>>> key ->
>>>>>> everything works perfectly.
>>>>>> - truststoreFile (PKCS12) contains root CA certificate -> clients
>>>>>> cannot
>>>>>> connect.
>>>>>>
>>>>>> truststoreFile should not contain private keys, so why does Tomcat
>>>>>> behave
>>>>>> in
>>>>>> this way?
>>>>>>
>>>>>> Thanks in advance.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To start a new topic, e-mail: users@tomcat.apache.org
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message