Thanks for the very quick reply!
But I had the certificates of the clients only initially in the keystore
(no CA cert!) but I had trouble with MSIE and Mozilla - both denied to
present the certificate to the server so that no connection was possible from
those browsers :-(
On the second suggestion - it would be not very practical to send to every
client a new CA cert. every time someone leaves the community
Is the Apache http server better on that or is it a kind of basic SSL problem
here?
Thanks!
On Wednesday 12 May 2004 23:03, QM wrote:
On Wed, May 12, 2004 at 10:57:30PM +0200, Plamen Neykov wrote:
: I have standalone tomcat installation with client authentication switched
on
: as described in the tomcat documentation. The problem is that anybody who
has
: a signed certificate from my CA can connect to tomcat - even if the client
: certificate is not in the tomcat keystore .
Yes, that's considered a strong selling point of SSL trust
chains/hierarchies. ;)
: How can I make sure that only
: clients with certificates existing in the tomcat keystore are allowed to
: connect?
Remove the CA cert from the keystore and install only the certs (pub
keys, that is) of clients that should be allowed to connect.
Barring that, create a special CA for just Tomcat connections and store
that in the keystore. That would spare you the trouble of adding
clients to the keystore individually.
-QM
pgp0.pgp
Description: signature
