On Tue, Nov 27, 2012 at 12:24 PM, Daniel Mikusa <dmik...@vmware.com> wrote: > On Nov 27, 2012, at 9:55 AM, Will Nordmeyer wrote: > >> I have a self signed server certificate - and the user certs have no >> association/connection to the server cert. > > I apologize, but I'm not exactly sure what you are trying to configure with > the certs and the crl file. Can you take a step back from the problem and > give us some higher level details on what you are trying to achieve with this > configuration? > > Dan
OK, I'm am emulating the production enviroment for the application my development team works on. The production environment is on goverment facilitiies and equipment. Users authenticate with a Common Access Card (CAC) & PIN. Our current environment has a locally developed PIN check, which is insufficient going forward. Rather than developing code to do all of the work, it seems most appropriate to simply utilize the abilities built into tomcat to do that before our application even gets accessed. The development server I stood up is a virtual server, running CentOS 6.3 (64 bit), Tomcat 6.0.35 and openssl 1.0.0-fips. I used openssl to generate a self-signed certificate, rather than getting an actual SSL cert from an outside source since this is a closed development system. With that in mind, we are working to implement Certificate Authentication & Validation within Tomcat. I've got the environment configured to prompt for the certificate and through the browser/client enviroment the PIN prompt is triggered without issue as long as the crlFile parameter isn't set in the connector. That was easy. My problem comes when I attempt to implement Certificate Revocation List checking. The Government has a root certificate and about 20-30 different intermediate certificate authorities that could have issued the user certificate. I have loaded the root and intermediate government certificate into my local truststore and am loading it properly (based on the fact that the user certificates are recognized and accepted). I have downloaded all the root certificate CRL data and each individual CA's CRL data. Through the openssl commands, I converted them to PEM and then copied them all into one file massive CRL. I have also, for testing, created a file with the root CRL data and the CRL data for the CA which issued my Certificate. When I run the complete CRL, I run out of memory (271 MB CRL). When I run just the root & my CA, it doesn't run out of memory, but it also doesn't trigger the PIN prompt (I assume the crl check happens before the PIN is checked?), and just displays "Page cannot be displayed." I know my certificate is OK - when I use it to access other sites that require that certificate, it works fine. Does that give you a clear(er) picture? :) --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org