tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Vávra <>
Subject ssl client certificate authentication
Date Wed, 10 Jul 2013 11:25:23 GMT
Hi all.
I've studied the documentation at and 
I have several questions on it.

1. While the APR/Native has config option SSLCACertificateFile that 
defines the set of allowed client cert authorities the JSSE SSL has no 
analogous option. Is the set of allowed client cert authorities defined 
implicitly by the java cacerts file located in 
$JAVA_HOME/lib/security/cacerts ?

2. It seems me that checking of revocation of client certificate is done 
via "static" crl files located in APR's SSLCARevocationPath or JSSE's 
crlFile. If I write a cron task that periodically downloads crl list(s), 
will the Tomcat react on this change of CRL file(s)? I've found in mail list a 5 years old mail saying that the Apache 
Server is not doing it.

3. And in general what is better to use APR or JSSE ? My opinion is: if 
the Tomcat serves not a web portal the JSSE is good enough although I 
can use only one crl file for client cert checking. In case of APR I 
must compile native libs on Linux so it is more complicated but more 
powerful ...


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message