Hi Wolfgang, > -----Original Message----- > From: Wolfgang Stein [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 26, 2002 3:19 PM > To: [EMAIL PROTECTED] > Subject: Re: SSL Client authentication with standalone Tomcat > > > Imagine an online banking system with some thousand clients > > I can't believe that you have to import each > client cert into the keystore file. > > If you start tomcat with the -Djavax.net.debug=all option > you should be able to verify that tomcat initially sends a list > of trusted CAs taken from the cacert file. > This file should contain one CA (or more) that signed > a client certificat signing request (or groups of them). > > But Anton Brazhnyk's suggestion could be an alternative way. > If anybody succeeded in establishing the ssl client cert handhake > after importing client certs into the keystore file only, > please let us know. >
Actually I meant importaing server certificate, since there wasn't "-trustcacerts" in statement with "-alias tomcat". And, well, I'm not sure again... :) Client cert should be signed with sertificate of the server (not just with CA certificate) > > Gru?, > Wolfgang > > > Anton Brazhnyk wrote > > .... > > I'm not sure its necessary, but I'd import last certificate with > > following command: > > > > keytool -import -trustcacerts -file my.crt -alias tomcat > > .... > > > Wolfgang Stein wrote: > > .... > > As far as i understand the client-auth handshake, > > the server sends a list of trusted CAs to the client. > > > > This list is taken from > > <JAVA_HOME_set_in_your_tomcat>\lib\security\cacerts > > So you have to import your CA-cert into that file, > > instead of your .keystore . > > There is no need to import the client cert into cacerts or keystore. > > .... > Anton -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
