tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: OCSP Connector on Tomcat 8.5 not working
Date Thu, 20 Jun 2019 10:33:30 GMT
Tomcat version?

Tomcat Native version?

Mark


On 19/06/2019 23:46, Michael Magnuson wrote:
> Hi,
> 
> I'm running Tomcat 8.5 on RHEL 7.6.  I'm successfully using client certificate validation
from the smart card, but I would like to add client-cert OCSP revocation checking.  I *think*
I've set up the connector correctly in the server.xml file, but although the server starts
and operates fine with no errors in the logs, it is not sending any sort of OCSP traffic.
 The user certs do have the responder URL in the AIA field.
> I'm fairly new to this, so I ask some of you more knowledgeable folks to please review
my connector configuration and point out if something is wrong, or missing, or if there's
a setting some place else that I need to turn on.
> My connector configuration is as follows:
> 
>  <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
>                 maxThreads="150" SSLEnabled="true"
>                 scheme="https" SSLEnabled="true"
>                 SSLCertificateFile="path_to_server.crt"
>                 SSLCertificateKeyFile="path_to_server.key" SSLPassword="password"
>                 SSLCertificateChainFile="path_to_chain" SSLProtocol="TLSv1.1+TLSv1.2"
>                 clientAuth="want" trustStoreFile="path_to_truststore" trustStorePass="password"
>                 caCertificateFile="path_to_ca_file"
>                 certificateVerification="require"
>                 certificateVerificationDepth="10" >
>       <Certificate
>                 certificateFile="path_to_OCSP_signing_cert"
>                 certificateKeyFile="path_to_OCSP_public_key" />
> </Connector>
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message