Re: OCSP Connector on Tomcat 8.5 not working

Tue, 25 Jun 2019 12:23:53 -0700 


Mark, thanks for the further clarification.  With that setup, it prompts for 
the smart card PIN and you can select your certificate, but then nothing 
happens.  The only way I can get it to successfully open the page is if I also 
add the attributes trustStoreFile= and trustStorePass= but still no OCSP action.

________________________________
From: Mark Thomas <ma...@apache.org>
Sent: Tuesday, June 25, 2019 11:33 AM
To: users@tomcat.apache.org
Subject: Re: OCSP Connector on Tomcat 8.5 not working

On 25/06/2019 19:24, Michael Magnuson wrote:
>
>
> Oh I see.  I was trying to use those fields for the OCSP responder 
> information.  Thanks for the clarification.

You shouldn't need to explicitly define that. The assumption is that the
OSCP response have a trust chain that leads back to the same trusted
root as the client certs.

Mark


> ________________________________
> From: Mark Thomas <ma...@apache.org>
> Sent: Tuesday, June 25, 2019 11:03 AM
> To: users@tomcat.apache.org
> Subject: Re: OCSP Connector on Tomcat 8.5 not working
>
> On 25/06/2019 18:04, Michael Magnuson wrote:
>>
>>
>> Mark, are you defining your server SSL certificate someplace else, other 
>> than within the connector in server.xml?
>
> No.
>
>> From your example connector config, I'm not seeing it defined.
>
> <Connector port="8443"
>            protocol="org.apache.coyote.http11.Http11AprProtocol"
>            maxThreads="150" SSLEnabled="true" >
>   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
>   <SSLHostConfig certificateVerification="required"
>                  caCertificateFile="conf/ca-rsa-cert.pem"
>                  certificateRevocationListFile="conf/crl.pem">
>     <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
>                  certificateFile="conf/localhost-rsa-cert.pem"
>                  certificateChainFile="conf/localhost-rsa-chain.pem"
>                  type="RSA" />
>   </SSLHostConfig>
> </Connector>
>
> Server key is defined by certificateKeyFile
> Server cert is defined by certificateFile
> Server cert chain is defined by certificateChainFile
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to