-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Luis,
On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote: > Agree with Christopher, you have to fix your client. Just get the > root Certificate Authority public key and import it in your client > truststore. I'd recommend trusting the finest-grained cert you can get away with. That might not always be the root CA cert. It might be the server's cert directly. > If you did not change it the client (java) the default keystore is > located in $JAVA_HOME/jre/lib/security/cacerts. Something like: > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts > -storepass trust_store_password_here -alias Root -import -file > the_downloaded_ca.crt > > The default password for cacerts is changeit FWIW, I wouldn't recommend changing the JVM's trust store. I say so for two reasons: 1. You will be trusting that certificate for ALL JVMS LAUNCHED AFTERWARD. Perhaps you don't want some other service to trust your 192.168.1.120 certificate when it's only supposed to be used with a single client service. 2. You will have to remember to update the trust store every time you change your Java installation. That means upgrades, downgrades, etc. The best way to do this IMO is to create a trust store specific for that service (client) and use it EXPLICITLY. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8 pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/ lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4 xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4= =okQm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
