On Wed, May 12, 2004 at 11:31:11PM +0200, Plamen Neykov wrote:
: Thanks for the very quick reply!

Please, don't think me till it works. ;)


: But .... I had the certificates of the clients only initially in the keystore
: (no CA cert!) but I had trouble with MSIE and Mozilla - both denied to
: present the certificate to the server so that no connection was possible from
: those browsers :-(

Was this a CA from a commercial entity, or a homegrown/self-signed CA?

I don't see why a browser would refuse to present its client cert to the
server.  Sounds more like the client couldn't verify the server CA and
stopped there.  (IIRC, the server gives its cert and then (optionally)
requests the client's cert.)


: On the second suggestion - it would be not very practical to send to every
: client a new CA cert. every time someone leaves the community....

Not at all, but that's not quite what I meant: the idea was to create a
new, single CA and store *that* pub key in the keystore.  Certs for
clients are issued from/signed by this new, Tomcat-only CA.

iow, you'd separate your general CA work (for the rest of your
organization) from the certs needed for Tomcat connections.

This is essentially the same as what you have now, except replace "your
current CA" with "this new Tomcat-only CA."

If I've misunderstood your scenario completely, please reexplain.


: Is the Apache http server better on that or is it a kind of basic SSL problem
: here?

Sounds more like an SSL infrastructure issue.

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to