tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat and Outgoing SSL
Date Fri, 25 Sep 2009 15:17:36 GMT
Hash: SHA1


On 9/23/2009 11:49 PM, Steve Cohen wrote:
> I have an backend application that runs under Tomcat.  It does not serve
> Web pages.  It depends on various services that use SSL in one way or
> another:
> 1) It connects with a vendor's Web Service over https:, which depends on
> one of the certificates in the default cacerts file
> 2) It connects with another vendor's Web Service over https: but this
> one depends on a CA certificate issued by the vendor.
> 3) It makes SSL-encrypted connections to a MySQL database using a
> self-generated SSL certificate.
> I can get this to work by using keytool and importing the entire cacerts
> keystore, the self-generated CA cert for mysql, and the second vendor's
> ca cert into a single truststore, then Setting system properties to
> point at this at app startup.
> But this feels like a real hack.

So, you basically copy the system cacerts file and merge-in the two
other certificates? That doesn't sound too bad to me.

Another option is to simply modify the system cacerts file.

I thought that the JVM would load the system cacerts file plus
~/.cacerts or something similar automatically. Have you looked at the
documentation for SocketFactory and friends?

Another option is to simply turn-off certificate checking for SSL
connections, but I really don't recommend this except for testing

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message