On Wed, May 12, 2004 at 10:57:30PM +0200, Plamen Neykov wrote: : I have standalone tomcat installation with client authentication switched on : as described in the tomcat documentation. The problem is that anybody who has : a signed certificate from my CA can connect to tomcat - even if the client : certificate is not in the tomcat keystore .....
Yes, that's considered a strong selling point of SSL trust chains/hierarchies. ;) : How can I make sure that only : clients with certificates existing in the tomcat keystore are allowed to : connect? Remove the CA cert from the keystore and install only the certs (pub keys, that is) of clients that should be allowed to connect. Barring that, create a special CA for just Tomcat connections and store that in the keystore. That would spare you the trouble of adding clients to the keystore individually. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]