tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ronald Spiers" <>
Subject Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Date Mon, 11 Jun 2007 15:15:22 GMT
Hi Mark, thans a lot for your comments.

The problem is that I found a way to generate via API a PKCS12
keystore for my client, but it won't be based on my server's

I could not find a way to auto-enroll users using openssl and Java, I
mean control openssl commands from Java to create PKCS12 keystores
they can import, already signed by my server certificate, so that my
server will trust in them without having to reload the Truststore (if
I understood well you last paragraph).

That's why I was looking into this problem, once I was able to create
these clients certificates via API (
CertAndKeyGen.getSelfCertificate() ) and store the client certificates
into my truststore, I thought the natural next step was to reload the
truststore in some way, because these certificates are not linked to
my server-certificate and the server must verify them. It seems I have
to resort to openssl to sign them with my server's certificate, but I
don't know how to do that programatically with Java.

I searched the tomcat archives and found that others comfronted this
problem and probably shared my misconception of the certificate
system, but no one reported it as solved, either by doing it the right
way via openssl or finally implementing a trustManager, or something
like that using JSSE APIs (which is what I would prefer).

Thanks for the links anyway, if you have some resource about
controlling the process via openssl with Java, please share it with


On 6/11/07, Mark Claassen <> wrote:
> Humm.  I don't think this is how the certificate system is supposed to be
> used.  The intention is that the truststore handles certificates authorities
> you trust.
> For an example, let's switch to the browser.
> Browsers generally trust Verisgn and Thwart out of the box.  You can see
> these certificates in your browser's options pages.
> So, let's say you go to  Amazon will have a certificate that was
> created for them by, say, Verisign.  Your browser will get the amazon
> certificate and see that it was created by verisign.  Since your browser
> already trusts verisign, it will trust that amazon is who it says it is.
> (Verifying identity is the certificate's primary function.)
> Tomcat works the same way.  So, in your case, maybe you want to create your
> own certificate and put it into your truststore.  Then, as you create
> certificates for other's, you create them based on the certificate you
> loaded into your truststore.  Since Tomcat already trusts this one, all the
> certificates you create and give to others will also be
> reconfiguration necessary.
> Mark
> Some helpful links:
> -----Original Message-----
> From: Ronald Spiers []
> Sent: Monday, June 11, 2007 10:21 AM
> To:
> Subject: Reloading keystore - how to register a new TrusStore Manager for
> Tomcat?
> Hi, I am preparing a self enrollment webapp for generating client
> certificates and adding them to the server keystore. I know that Tomcat
> won't reload keystore unless the server is restarted, so I did look for
> alternatives, and the JSSE guide explains an approach to this in the section
> "Creating Your Own X509TrustManager".
> My question is: Does anybody in this list have some experience solving this
> problem?, providing tomcat a custom trust manager to dynamically add a
> client certificate to the verification path when client credentials are
> presented?
> Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I
> am just wasting my time ;) I have searched a lot in the last 3 days, tomcat
> list archives and other materials, I have not found a single solution to
> this problem, except for the JSSE guide and this article, that explains how
> to create a trustManager and a SSLContext for implementing S/MIME with
> JavaMail:
> *
> Thanks a lot for any feedback you can provide.
> Regards,
> Martin
> ---------------------------------------------------------------------
> To start a new topic, e-mail: To unsubscribe,
> e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message