Robert,
On 1/19/25 4:57 PM, Robert Graham wrote:
In the documentation (https://tomcat.apache.org/tomcat-9.0-doc/ssl-
howto.html#Importing_the_Certificate) it shows how to load
externally trusted CA certificate chains with the keytool. Is there
a way to specify using a specific OCSP responder URI versus using
the ones listed in the certificates, either with a tomcat
configuration or somehow set up locally on the OS?
I'm not sure it matters, but are you using the Java crypto library, or
OpenSSL? Note that you can use OpenSSL through JSSE which is why I asked
about which library it is. OpenSSL has some tricks up its sleeve that
Java does not.
I think the short answer is "no, there is no way to do this".
It might even be a security issue to use a different OCSP responder. I
haven't really thought about it critically.
Our use case is that we want all clients to hit a local OCSP
responder with the CRLs cached locally.
Why not just use a normal CRL and disable OCSP? Or is it that you want
to use the CRL as a service and not as a local file?
In version 21.0.5 of the Keytool, the man page mentions an
ExtendedKeyUsage option for OCSPSigning, but I don’t believe that
is exactly what we are looking for.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
