-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrey,
On 2/16/2010 7:46 AM, Andrey D wrote: > Sorry, but I can't use apache httpd separately... only tomcat.. :( > > someone said me: > >> ok, I think the solution is this .... >> create a CA ... then, import the CA public key into key-store >> sign each client certificate with CA private key .. >> I believe this will mean that when Tomcat requests client certificate, it > can be checked against the CA public key in keystore ... >> have a look at this .. > > what do you think about it? This sounds reasonable: basically, instead of creating many trusted certificates, you create a single trusted certificate, then use that to sign the client certificates. Tomcat trusts the signing certificate and therefore, implicitly, all the client certificates signed with that top-level one. > and if it helps... how to do it.... Heh... it gets to be a bit of a pain in the neck. For starters, read the thread titled "mod_jk & Client SSL Certificates" from the archives back in October. Specifically, this message: > http://tomcat.markmail.org/message/kzxsamuiu6bldjmv?q=%22mod_jk+%26+Client+SSL+Certificates%22+list:org.apache.tomcat.users You can ignore most of the Apache httpd-related stuff, but I did end up creating the key stores in OpenSSL format, so you'll have to read-through the certificate creation process in order to get a top-level certificate that you can actually use with my code. Or, you could follow the client certificate "instructions" on Tomcat's website (I found the lack of documentation for using Client SSL certificates a little frustrating, but I ended up doing most of my work with OpenSSL, etc., and not Tomcat so I don't really have any better instructions than what's already on the Tomcat site). Good luck, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt7DpEACgkQ9CaO5/Lv0PAKWgCffenUPfvSfPeL8EuPIGxx2FiX 1/wAoI4wNFQ5RhBzJKmbOEiNQ2m2yIzb =5Rrp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org