-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rainer,
On 11/20/2009 1:51 PM, Rainer Jung wrote: > OpenSSL Code looks like only returning the chain provided by the client, > and the client should not provide the root. Ok. > At the moment I see no way of getting the root CA which verified the > client chain from OpenSSL or Apache, so especially no way to forward it. That's okay: I'm prepared to supply the root certificate on the server for verification. What I don't want to do if have to supply a handful of low-level signing certs and loop-through them: I'd prefer to only use the root, and then verify the chain supplied by the client up to the root. This offers my great flexibility in how I do certificate signing: I can use several sub-level keys to sign many client certificates and the server only needs to worry about the root cert. > The root should really be available directly to Tomcat in some > certificate store and the client side of the chain received via mod_jk > and TC 5.5.28 should be verified against that locally available root. > > Does that make sense? Absolutely. I'm just wondering why it appears that I'm only getting one certificate from the request in Tomcat. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksHBa8ACgkQ9CaO5/Lv0PBoNACffJDQg/g70/vQ907AnZR1TZeT 0a0An2Z1WILyK61F/P/Fs6UAowsYMdrO =5Mr2 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
