Thanks for the very quick reply! But .... I had the certificates of the clients only initially in the keystore (no CA cert!) but I had trouble with MSIE and Mozilla - both denied to present the certificate to the server so that no connection was possible from those browsers :-(
On the second suggestion - it would be not very practical to send to every client a new CA cert. every time someone leaves the community.... Is the Apache http server better on that or is it a kind of basic SSL problem here? Thanks! On Wednesday 12 May 2004 23:03, QM wrote: > On Wed, May 12, 2004 at 10:57:30PM +0200, Plamen Neykov wrote: > : I have standalone tomcat installation with client authentication switched on > : as described in the tomcat documentation. The problem is that anybody who has > : a signed certificate from my CA can connect to tomcat - even if the client > : certificate is not in the tomcat keystore ..... > > Yes, that's considered a strong selling point of SSL trust > chains/hierarchies. ;) > > > : How can I make sure that only > : clients with certificates existing in the tomcat keystore are allowed to > : connect? > > Remove the CA cert from the keystore and install only the certs (pub > keys, that is) of clients that should be allowed to connect. > > Barring that, create a special CA for just Tomcat connections and store > that in the keystore. That would spare you the trouble of adding > clients to the keystore individually. > > -QM >
pgp00000.pgp
Description: signature
