Hi Martin, all,
This is what I use:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:\server.p12"
keystorePass="password" keystoreType="PKCS12"
truststoreFile="C:\root.p12"
truststorePass="password" truststoreType="PKCS12"/>
The keystore.p12 I sent in my previous mail was just an example with empty
password of how to insert 2 certificates.
Form my experience, Tomcat does not accept PKCS12 with empty password as
keystore nor as truststore.
The real PKCS12 truststoreFile I use contains only 1 cert (fails) or
cert+privatekey (works).
Regards.
----- Original Message -----
From: "Martin Gainty" <[EMAIL PROTECTED]>
To: "Víctor Torres - UPF" <[EMAIL PROTECTED]>; "Tomcat Users List"
<users@tomcat.apache.org>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 25, 2006 4:16 PM
Subject: Re: problem with truststoreFile in server.xml
Hello Victor-
since we're talking about Tomcat and we want to keep this thread on topic
how would you integrate your trustStoreFile to the connector definition in
server.xml?
Saludos,
M
This e-mail communication and any attachments may contain confidential and
privileged information for the use of the
designated recipients named above. If you are not the intended recipient,
you are hereby notified that you have received
this communication in error and that any review, disclosure,
dissemination, distribution or copying of it or its
contents
----- Original Message -----
From: "Víctor Torres - UPF" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>; "Martin Gainty"
<[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 25, 2006 5:21 AM
Subject: Re: problem with truststoreFile in server.xml
Have a look at the attached keystore. It contains 2 certificates. In the
txt
file you can find the contents. Each cert is identified by a localKeyID,
which is different. This store does not contain private keys.
I say that truststoreFile should not contain private keys. Imagine that
you
want to trust on clients which are signed by e.g. Verisign CA 1. Then,
you
cannot add Verisign CA 1 private key to your truststore, obviously,
because
it is secret. Moreover, to verify that a certificate is issued by
Verisign
you only need to check the client certificate signature with Verisign
PUBLIC
key, which is is included in the certificate. That's why truststoreFile
should not contain private keys. In fact, openSSL has something similar
to
truststoreFile ehich contains CA certificates (only certificates).
Any other comments?
Regards.
----- Original Message -----
From: "Martin Gainty" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres - UPF"
<[EMAIL PROTECTED]>
Sent: Tuesday, October 24, 2006 8:25 PM
Subject: Re: problem with truststoreFile in server.xml
Which other algorithm do you suggest to uniquely identify the cert
contained within the keystore?
a sequence number?
a reference to an object?
The key (which is tied to the cert) uniquely identifies that particular
cert in your keystore file
Saludos Cordiales!
M-
This e-mail communication and any attachments may contain confidential
and
privileged information for the use of the
designated recipients named above. If you are not the intended
recipient,
you are hereby notified that you have received
this communication in error and that any review, disclosure,
dissemination, distribution or copying of it or its
contents
----- Original Message -----
From: "Víctor Torres - UPF" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>; "Martin Gainty"
<[EMAIL PROTECTED]>
Sent: Tuesday, October 24, 2006 11:55 AM
Subject: Re: problem with truststoreFile in server.xml
Thanks, but this does not solve my problem.
What I can see in your directions is that you are using JKS keystore
and
you
are importing the certificate and the private key.
What I was saying is that it should NOT be necessary to import the
private
keys into a truststoreFile. In fact, when I use as truststoreFile a
PKCS12
with the certificate and private key it works. It fails when the PKCS12
only
contains the certificate. This seems to me strange.
Any other suggestions?
----- Original Message -----
From: "Martin Gainty" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres -
UPF"
<[EMAIL PROTECTED]>
Sent: Tuesday, October 24, 2006 5:41 PM
Subject: Re: problem with truststoreFile in server.xml
Hello Victor-
you may want to follow the directions on how to create an empty
keystore
and then import Import the private key/certificate chain into the java
keystore using extkeytool
http://www.switch.ch/aai/certificates/certificateupdate.html
then take a look at the keys afterwards at
keytool -v -list -keystore www.example.edu.jks
Anyone else?
M--
This e-mail communication and any attachments may contain confidential
and
privileged information for the use of the
designated recipients named above. If you are not the intended
recipient,
you are hereby notified that you have received
this communication in error and that any review, disclosure,
dissemination, distribution or copying of it or its
contents
----- Original Message -----
From: "Víctor Torres - UPF" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Sent: Tuesday, October 24, 2006 9:14 AM
Subject: problem with truststoreFile in server.xml
Dear all,
I have configured my Tomcat 5.5.17 to require SSL client
authentication.
For
this purpose, I have stored my root CA certificate into a PKCS12
keystore
which I use as truststoreFile by configuring server.xml. This CA
certificate
is used to sign user certificates that I want to be trusted.
The problem I have is the following:
- truststoreFile (PKCS12) contains root CA certificate + private
key ->
everything works perfectly.
- truststoreFile (PKCS12) contains root CA certificate -> clients
cannot
connect.
truststoreFile should not contain private keys, so why does Tomcat
behave
in
this way?
Thanks in advance.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
