tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [OT] Client not loading truststore or keystore
Date Wed, 02 Sep 2015 12:55:46 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Diarmuid,

(Marking as OT because this is not a Tomcat issue.)

On 9/1/15 5:34 PM, dmccrthy wrote:
> Sorry for the ambiguity, we're using scenario (b), outgoing client 
> connections. The server cert is signed by GeoTrust but we don't
> have the full CA chain in the truststore, only the server cert.

Okay, then you need to do the following:

1. Put your client key + signed certificate into your keystore
2. Put the server's cert (or GeoTrust's top-level CA cert and any
   intermediate certs that you might need) into your truststore
3. Configure your HTTP client to use the above keystore and trust store
   (or really just pull the client key+cert and configure them with
   the HTTP client... a keystore is not strictly necessary but it
   sometimes makes everything a bit easier if the HTTP client library
   can work with the keystore instead of individual Java objects)

That should be all you need to do. If your HTTP client library can
detect the system properties you've already set, then that's great. If
it can't, you'll need to use actual Java code to configure it properly.

If the above doesn't work, please provide stack traces when you get
errors. Since OpenSSL s_client works, your client key+cert are working
and you just need to get the configuration of your own client right.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV5vHSAAoJEBzwKT+lPKRYnGYP/0s5tT+8vNQW4EaNquYLU94R
5VcbiPQRARJ/Q8bkTSPKFUALU6+l7wIhrEdVTNa4RgmHYEYn08F9/9mdre0ydOpv
1LJF1D6fjQeKvmbD3vLCfxad4YepurzD2gIhcQ38lcXPh0lGoANfFRaklX+jggRb
oQ+B4z89cTC3+HELckUqbftUjoSs1vbaogcbQo7jXL1z+Iwe0510A4ijud5sDkUe
xdFdU8PA3w9VbNMGAwtxYmvKEtwg3zzm45rvUafCHHbfQgXk9MTM+rl+dlxDdEpM
J7Rmt2j84dnl/uAQdVMEoN9ELf8KoSd36BiIgT1Yn2U08GFu1UUCkiKfPvc69jvp
beeHma6iZFdxYnPkbZcinKdXAuqlm+n6k8IMSkuN+iLP6wzoeI9hdWTJYi21pdrb
43Leh7xk41QLhRiySB7M55YVk/H13ZJHHQvNm1zTwaRutuwyKvb9t8srZ/a7eEe0
FZVyB4soRLoLco2KzYHboYhyCsLjgP30MzmJwLqAUm2JU8rAWLhpwXFLrPt0rURn
NNybVH+Nle2FXJ8SQkYo3PjzFwQlIRMnxhcAkl/i3GWG5QH5QirXAgJ2AI5UEj+t
3TIKEZKe3eAm6u0CNXoux8iVgkTDZHmqp/WtHr0nwIUMYaN7KOGWsm4wGAvBOg/O
6uNejioO4Kcu4/ZrVe8p
=vCLy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message