Howdy folks, If I setup a tomcat connector in server.xml with clientAuth="true" and have the key store for tomcat and a trust store is the following true?
- all public key certificates issued by CA's the trust store are allowed in? - all user public key certificates in the trust store are allowed in (assuming their CA's are also in the same trust store)? - are the JRE's "cacert" file merged in with this trust store? (this is normally the case but i figured i'd ask for clarity) Finally regarding certificate validation: - i'm assuming basic validation checks are performed, time checks, etc - if the requesting user cert has a CRL or OCSP url attached to the cert, does tomcat do anything to validate that the cert is still valid? Regarding OCSP, I did see some documentation in the guides related to windows native connector but I don't think i'm using that and would prefer to remain portable to linux if possible. It's also not clear from the docs on how or why it's used.