Hello,
I'm setting up certificate client authentication on Tomcat 10.0.0
running on Java 16+36. I'm having trouble getting it to work with a
CRL. My SSL connector is:
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443"
SSLEnabled="true"
maxParameterCount="1000"
>
<SSLHostConfig
protocols="TLSv1.3"
certificateVerification="optional"
caCertificatePath="conf/ca-certs"
certificateRevocationListPath="conf/ca-crls"
>
<Certificate
certificateKeyFile="conf/localhost-ec-key.pem"
certificateFile="conf/localhost-ec-cert.pem"
/>
</SSLHostConfig>
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol"
/>
</Connector>
In my PKI setup (using OpenSSL), I have a root CA
(cert: root-ca.pem), and a subordinate CA (cert: sub-ca-01.pem),
which signs leaf certificates, and issues a CRL (crl:
sub-ca-01-crl.pem).
File root-ca.pem is in conf/ca-certs. File
sub-ca-01-crl.pem is in conf/ca-crls, as follows:
0551d8aa.r0 -> sub-ca-01-crl.pem
c79c8ddb.r0 -> sub-ca-01-crl.pem
sub-ca-01-crl.pem -> /home/me/somedir/sub-ca-01-crl.pem
Before adding to <SSLHostConfig>, attribute
«certificateRevocationListPath="conf/ca-crls"», client
authentication works fine. The servlet can see a valid client
certificate and extract its attributes from the X509Certificate
object returned by
request.getAttribute("jakarta.servlet.request.X509Certificate").
However, once I add attribute
certificateRevocationListPath, the connector stops responding to
requests that present a client certificate regardless of whether the
certificate is valid or revoked —it still responds though if the
request does not present a client certificate.
Firefox only shows error NS_ERROR_FAILURE on the
"Transferred" column of the "Network" tab in
developer tools.
The CRL is not expired (and it won't be for long),
as its printout shows:
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Sub CA 01
Last Update: May 6 21:53:22 2025 GMT
Next Update: Apr 12 21:53:22 2125 GMT
CRL extensions:
X509v3 CRL Number:
4097
Revoked Certificates:
Serial Number: 82AB03509A91A8DCCBA0CE62A67417B6
Revocation Date: May 6 21:51:40 2025 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Unspecified
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:f7:98:07:1f:2f:cf:d5:ad:b7:5e:20:61:de:
1b:7b:1f:c7:74:f9:80:33:d8:a2:cc:3a:75:28:4c:64:65:93:
c1:02:20:5b:3e:e9:dd:52:9e:11:9b:45:5a:53:fc:2f:bb:b3:
f4:db:52:64:f6:ea:13:54:43:d6:54:2b:f3:28:03:ae:6f
The problem persists if I drop attribute
certificateRevocationListPath, and replace it with
«certificateRevocationListFile="conf/ca-crls/sub-ca-01-crl.pem"».
It persists as well if I add to conf/ca-crls a CRL for the root CA.
I found nothing helpful in the logs. The source
of the problem escapes me. How can I get certificate client
authentication to work with CRLs in Tomcat?
Help is appreciated. Thank you.
