tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Cheshire <>
Subject Re: using default cacerts AND custom keystore
Date Wed, 14 Feb 2018 20:34:41 GMT
On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <> wrote:
> On 14/02/18 17:17, Chris Cheshire wrote:
>> I am trying to set up my webapp to connect to an external database via
>> ssl. The database uses a self-signed certificate. I have created a
>> keystore with the self-signed CA and the client key & cert. This
>> keystore is configured via JAVA_OPTS in
>> JAVA_OPTS="$CATALINA_BASE/conf/mysql.jks \
>> \
>>$CATALINA_BASE/conf/mysql.jks \
>> This allows me to connect to the database without a problem. However
>> now I cannot connect to any external web service because their certs
>> will no longer validate.
>> How do I configure tomcat such that the default cacerts is used in
>> addition to my self-signed certificates without importing those into
>> the default keystore (which is a Bad Idea™)?
> This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
> connections.
> The short answer is rather than using system properties, you should set
> the keystore and truststore programmatically so they apply just to the
> database connections rather than globally.

So after a bit of digging [1,2] I found that this is achieved by
adding the following parameters to the mysql jdbc url in the resource


Note that  [2] has a couple of errors.
A) it specifies clientCertificateKeyStore[Url|Password] in lieu of
trustStore system property, that should be
B) it specifies specifies the urls in the form
file:path_to_truststore_file, that is also incorrect it should be
file://path_to_truststore_file (which will give a triple slash if an
absolute path is used)


Hope this helps someone else that happens to read the archives.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message