tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Magnuson <mmagnu...@sempervalens.com>
Subject Re: OCSP Connector on Tomcat 8.5 not working
Date Tue, 25 Jun 2019 19:22:43 GMT


Mark, thanks for the further clarification.  With that setup, it prompts for the smart card
PIN and you can select your certificate, but then nothing happens.  The only way I can get
it to successfully open the page is if I also add the attributes trustStoreFile= and trustStorePass=
but still no OCSP action.

________________________________
From: Mark Thomas <markt@apache.org>
Sent: Tuesday, June 25, 2019 11:33 AM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working

On 25/06/2019 19:24, Michael Magnuson wrote:
>
>
> Oh I see.  I was trying to use those fields for the OCSP responder information.  Thanks
for the clarification.

You shouldn't need to explicitly define that. The assumption is that the
OSCP response have a trust chain that leads back to the same trusted
root as the client certs.

Mark


> ________________________________
> From: Mark Thomas <markt@apache.org>
> Sent: Tuesday, June 25, 2019 11:03 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>
> On 25/06/2019 18:04, Michael Magnuson wrote:
>>
>>
>> Mark, are you defining your server SSL certificate someplace else, other than within
the connector in server.xml?
>
> No.
>
>> From your example connector config, I'm not seeing it defined.
>
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11AprProtocol"
>            maxThreads="150" SSLEnabled="true" >
>   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
>   <SSLHostConfig certificateVerification="required"
>                  caCertificateFile="conf/ca-rsa-cert.pem"
>                  certificateRevocationListFile="conf/crl.pem">
>     <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
>                  certificateFile="conf/localhost-rsa-cert.pem"
>                  certificateChainFile="conf/localhost-rsa-chain.pem"
>                  type="RSA" />
>   </SSLHostConfig>
> </Connector>
>
> Server key is defined by certificateKeyFile
> Server cert is defined by certificateFile
> Server cert chain is defined by certificateChainFile
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message