----- Original Message ----- From: "Mark W. Webb" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Monday, March 31, 2003 4:54 PM Subject: Re: mutual SSL authentication
> Is there a way that I can have apache handle all of the SSL? This would > allow tomcat to only handle the servlet processing. Also, if there is a > way to do this, could tomcat still get the user certificate information? Yes, at least using mod_jk and mod_ssl. I finally succeeded to make it work with the help of http://www.houseofice.com/techie/projects/modjk/ Using apache1.3+mod_ssl, the directive "SSLOptions +ExportCertData" exports the (PEM encoded) client certificate in an environment variable called SSL_CLIENT_CERT. Didn't try that one out having realized that it can be done with a standalone Tomcat. > I do not want to get into storing client certs in the cacerts file. I > am using tomcat in a PKI environment. If there are thousands of users > accessing tomcat, this would mean that I would need to import 1000's of > certs into this file. No need to. You just need the CA (certificate authority) certificates in the cacerts file. That is, an authority that has digitally signed the client certificates presented. This is not really different from the mod_ssl's SSLCACertificateFile directive. ...I think. Janne >... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
