tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <>
Subject Re: configured truststore ignored by tomcat
Date Wed, 19 Sep 2012 14:33:31 GMT
On Sep 19, 2012, at 2:40 AM, wrote:

> Hi all, 
> I have a tomcat 6.0.35 that needs to connect to a remote server using 
> https, so it is acting as a https client: it means that tomcat must have 
> the remote server certificate installed.
> The ideal solution I found is to configure the truststore in the 
> server.xml.
> Please see the following:
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>               maxThreads="150" scheme="https" secure="true"
>               keystoreFile="keystore/keystore.p12"
>               keystoreType="pkcs12"
>               keystorePass="<password>"
>               truststoreFile="keystore/truststore.p12"
>               truststoreType="pkcs12"
>               truststorePass="<password>"
>               clientAuth="optional" sslProtocol="TLS" />
> So, I configured the truststore and the server.xml.

This will configure the keystone / truststore used by the Connector.  It does not configure
the keystone / truststore used by the JVM for making HTTPS client requests.

> After restarting tomcat I got an ssl excetpion 
> PKIX path building failed: 
> unable to find 
> valid certification path to requested target
> Enabling the property I could see that tomcat is simply 
> ignoring the truststore I configured.
> Let me add that I tried also with no luck to change the truststore format 
> to jks. I add also that the remote server cert is inside the truststore 
> since I can see it with keytool.
> Do you know why? What else could I check? 

See explanation above.  Here is an example.  The trick is to set the ""
and "" system properties.

or you could disable validation all together.  Not something you'd want to do for a production
site though.


> Regards
> Marco
> This e-mail, including attachments, is intended for the person(s) or company named and
may contain confidential and/or legally privileged information.
> Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited.
If you are not the intended recipient, please delete this message and notify the sender.
> All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message
> If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly
advise you not to use the Swiss Re e-mail account for any private, non-business related communications.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message