Hi,
I'm running Tomcat 8.5 on RHEL 7.6. I'm successfully using client certificate
validation from the smart card, but I would like to add client-cert OCSP
revocation checking. I *think* I've set up the connector correctly in the
server.xml file, but although the server starts and operates fine with no
errors in the logs, it is not sending any sort of OCSP traffic. The user certs
do have the responder URL in the AIA field.
I'm fairly new to this, so I ask some of you more knowledgeable folks to please
review my connector configuration and point out if something is wrong, or
missing, or if there's a setting some place else that I need to turn on.
My connector configuration is as follows:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true"
scheme="https" SSLEnabled="true"
SSLCertificateFile="path_to_server.crt"
SSLCertificateKeyFile="path_to_server.key"
SSLPassword="password"
SSLCertificateChainFile="path_to_chain"
SSLProtocol="TLSv1.1+TLSv1.2"
clientAuth="want" trustStoreFile="path_to_truststore"
trustStorePass="password"
caCertificateFile="path_to_ca_file"
certificateVerification="require"
certificateVerificationDepth="10" >
<Certificate
certificateFile="path_to_OCSP_signing_cert"
certificateKeyFile="path_to_OCSP_public_key" />
</Connector>
