Thanks Chris, Luis On Tue, Oct 2, 2018 at 10:00 AM Luis Rodríguez Fernández <uo67...@gmail.com> wrote:
> Hello Christopher, > > It makes sense, thank you very much for your advice! > > Cheers, > > Luis > > El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (< > ch...@christopherschultz.net>) escribió: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Luis, > > > > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote: > > > Agree with Christopher, you have to fix your client. Just get the > > > root Certificate Authority public key and import it in your client > > > truststore. > > > > I'd recommend trusting the finest-grained cert you can get away with. > > That might not always be the root CA cert. It might be the server's > > cert directly. > > > > > If you did not change it the client (java) the default keystore is > > > located in $JAVA_HOME/jre/lib/security/cacerts. Something like: > > > > > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts > > > -storepass trust_store_password_here -alias Root -import -file > > > the_downloaded_ca.crt > > > > > > The default password for cacerts is changeit > > > > FWIW, I wouldn't recommend changing the JVM's trust store. I say so > > for two reasons: > > > > 1. You will be trusting that certificate for ALL JVMS LAUNCHED > > AFTERWARD. Perhaps you don't want some other service to trust your > > 192.168.1.120 certificate when it's only supposed to be used with a > > single client service. > > > > 2. You will have to remember to update the trust store every time you > > change your Java installation. That means upgrades, downgrades, etc. > > > > The best way to do this IMO is to create a trust store specific for > > that service (client) and use it EXPLICITLY. > > > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8 > > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb > > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc > > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/ > > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT > > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC > > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4 > > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr > > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz > > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z > > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff > > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4= > > =okQm > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett >
