Chad La Joie wrote:
jean-frederic clere wrote:
Chad La Joie wrote:
Yeah, I know what mod-ssl says, and for most cases it's probably right,
however the optional_no_ca option is interesting to us because it
provides exactly the functionality that we need; accepting the client
cert, putting it in a standard place, and allowing our application to do
the verification for us.
As you said, PKCS12 wouldn't help us. The problem isn't that the Java
keystore is some how flawed. It's that that's just not a viable
mechanism for us. Our certificates are communicated in SAML2 metadata
files. These files change periodically (when new service or identity
providers come online or old ones go offline). We had discussed a
process whereby we'd extract the certs from the file and create a
keystore but that has and unacceptable drawback, in our opinion. With
the SAML2 metadata files we can get fresh copies of those files and use
them immediately in a running system. With the keystore mechanism
Tomcat would need to be restarted because the keystore, or at least part
of it, is cached in memory and as far as I can tell, the cache is never
refreshed. Given the indeterminate frequency for metadata updates, we
do not see this as a viable solution for a production level system.
I am not sure I got it right...
If you have clients that use client certificates you only need to get
them signed by a CA that is known by Tomcat or do you want to change the
server certificate Tomcat is using?
That's the problem, Tomcat might not know the CA that signed the cert.
All certificate information, including CA(s), are expressed in the SAML2
metadata file. It could be that the CA that signed the client cert was
something like Verisign, but it's much more likely to be the case that
it's some organization's CA, which Tomcat wouldn't know about.
OK I have added a new CA using:
+++
[EMAIL PROTECTED]:~> $JAVA_HOME/bin/keytool -import -trustcacerts -file
~/CERTS/demoCA/cacert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts
+++
To get Tomcat accepting client certificates from this CA I had to restart it...
Bad.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
