Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 61FEF171EF for ; Wed, 2 Sep 2015 12:56:28 +0000 (UTC) Received: (qmail 21436 invoked by uid 500); 2 Sep 2015 12:56:24 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 21370 invoked by uid 500); 2 Sep 2015 12:56:24 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 21359 invoked by uid 99); 2 Sep 2015 12:56:24 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Sep 2015 12:56:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id BC5EDC0929 for ; Wed, 2 Sep 2015 12:56:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.981 X-Spam-Level: X-Spam-Status: No, score=0.981 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id fBkaMGHu1dc3 for ; Wed, 2 Sep 2015 12:56:16 +0000 (UTC) Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 6621720DD8 for ; Wed, 2 Sep 2015 12:56:15 +0000 (UTC) Received: from Christophers-MacBook-Pro.local ([71.127.40.115]) by vms173017.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0NU1000G9VWYGJD0@vms173017.mailsrvcs.net> for users@tomcat.apache.org; Wed, 02 Sep 2015 07:55:56 -0500 (CDT) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=btqxfxui c=1 sm=1 tr=0 a=tVXBnewmVzifmTgg5+7jYA==:117 a=-57I09spAAAA:8 a=oR5dmqMzAAAA:8 a=IkcTkHD0fZMA:10 a=ff-B7xzCdYMA:10 a=j4nzMFrpAAAA:8 a=qXDjoJVDU539KsZyRbgA:9 a=QEXdDO2ut3YA:10 Subject: Re: [OT] Client not loading truststore or keystore To: Tomcat Users List References: <55E60314.1090503@christopherschultz.net> From: Christopher Schultz X-Enigmail-Draft-Status: N1110 Message-id: <55E6F1D2.5000802@christopherschultz.net> Date: Wed, 02 Sep 2015 08:55:46 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-version: 1.0 In-reply-to: Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Diarmuid, (Marking as OT because this is not a Tomcat issue.) On 9/1/15 5:34 PM, dmccrthy wrote: > Sorry for the ambiguity, we're using scenario (b), outgoing client > connections. The server cert is signed by GeoTrust but we don't > have the full CA chain in the truststore, only the server cert. Okay, then you need to do the following: 1. Put your client key + signed certificate into your keystore 2. Put the server's cert (or GeoTrust's top-level CA cert and any intermediate certs that you might need) into your truststore 3. Configure your HTTP client to use the above keystore and trust store (or really just pull the client key+cert and configure them with the HTTP client... a keystore is not strictly necessary but it sometimes makes everything a bit easier if the HTTP client library can work with the keystore instead of individual Java objects) That should be all you need to do. If your HTTP client library can detect the system properties you've already set, then that's great. If it can't, you'll need to use actual Java code to configure it properly. If the above doesn't work, please provide stack traces when you get errors. Since OpenSSL s_client works, your client key+cert are working and you just need to get the configuration of your own client right. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5vHSAAoJEBzwKT+lPKRYnGYP/0s5tT+8vNQW4EaNquYLU94R 5VcbiPQRARJ/Q8bkTSPKFUALU6+l7wIhrEdVTNa4RgmHYEYn08F9/9mdre0ydOpv 1LJF1D6fjQeKvmbD3vLCfxad4YepurzD2gIhcQ38lcXPh0lGoANfFRaklX+jggRb oQ+B4z89cTC3+HELckUqbftUjoSs1vbaogcbQo7jXL1z+Iwe0510A4ijud5sDkUe xdFdU8PA3w9VbNMGAwtxYmvKEtwg3zzm45rvUafCHHbfQgXk9MTM+rl+dlxDdEpM J7Rmt2j84dnl/uAQdVMEoN9ELf8KoSd36BiIgT1Yn2U08GFu1UUCkiKfPvc69jvp beeHma6iZFdxYnPkbZcinKdXAuqlm+n6k8IMSkuN+iLP6wzoeI9hdWTJYi21pdrb 43Leh7xk41QLhRiySB7M55YVk/H13ZJHHQvNm1zTwaRutuwyKvb9t8srZ/a7eEe0 FZVyB4soRLoLco2KzYHboYhyCsLjgP30MzmJwLqAUm2JU8rAWLhpwXFLrPt0rURn NNybVH+Nle2FXJ8SQkYo3PjzFwQlIRMnxhcAkl/i3GWG5QH5QirXAgJ2AI5UEj+t 3TIKEZKe3eAm6u0CNXoux8iVgkTDZHmqp/WtHr0nwIUMYaN7KOGWsm4wGAvBOg/O 6uNejioO4Kcu4/ZrVe8p =vCLy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org