tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <>
Subject Re: Tolerate expired certificates
Date Tue, 26 Apr 2011 19:52:12 GMT
 On Tue, 26 Apr 2011 20:44:38 +0200, Thomas Hill wrote:
> Hi,
> I am using clientAuth on Tomcat 5.5.30, JVM version 1.6.0_21-b06 from
> Sun on Linux. The client certificates are self-generated and signed 
> as
> I am acting as CA for the client certificates. Authentication is
> working as expected until the certificate expiry date is reached 
> which
> is when I am getting "ssl_error_certificate_unknown_alert" errors
> returned and the connection is refused. I would like Tomcat to be 
> more
> tolerant and continue accepting the certificate even after its
> expiration. Is there a way to change the configuration such that this
> can be achieved?
> Note: Sun's JSSE implementation by default (in contrast to IBM's)
> accepts expired self-signed certificates - I also found this to be 
> the
> case when my Java application is communicating direct with an Apache
> Derby Data Base Server running SSL. I would like the same tolerance
> and behaviour be evidenced when connecting via Tomcat in a 
> web/browser
> based application environment.
 I haven't tried it, but it looks like the attribute 
 'trustManagerClassName' should
 help you with tomcat 7.11 and newer.

 I do wonder, why you want expired certificates to be still valid, if 
 you are the ca
 anyway and could certainly sign new for free.

> Thanks
> Thomas
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message