Imagine an online banking system with some thousand clients I can't believe that you have to import each client cert into the keystore file.
If you start tomcat with the -Djavax.net.debug=all option you should be able to verify that tomcat initially sends a list of trusted CAs taken from the cacert file. This file should contain one CA (or more) that signed a client certificat signing request (or groups of them). But Anton Brazhnyk's suggestion could be an alternative way. If anybody succeeded in establishing the ssl client cert handhake after importing client certs into the keystore file only, please let us know. Gruß, Wolfgang Anton Brazhnyk wrote > .... > I'm not sure its necessary, but I'd import last certificate with > following command: > > keytool -import -trustcacerts -file my.crt -alias tomcat > .... Wolfgang Stein wrote: > .... > As far as i understand the client-auth handshake, > the server sends a list of trusted CAs to the client. > > This list is taken from > <JAVA_HOME_set_in_your_tomcat>\lib\security\cacerts > So you have to import your CA-cert into that file, > instead of your .keystore . > There is no need to import the client cert into cacerts or keystore. > .... -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
