Fri, May 05, at 04:31:PM : Jack has proclaimed: > I have already gotten Tomcat to work with a (single) CRL, and as it > was a bit of a struggle have placed some info for those trying to do > this at [1]. The document is far from perfect, and any comments are > welcome. > > [1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl
Thanks for this page. I am not using JBoss, but it has been useful. I have client certificate authentication working correctly, but I cannot seem to get CRLs to work. I built my CRL by executing: $openssl ca -batch -gencrl -crldays 30 -out crl.pem This way every user certificate I revoke can be packaged in a single CRL. Is this type of CRL legitimate for use in Tomcat? I rebuilt tomcat-util.jar based on the directions in this message from the mailing list: http://threebit.net/mail-archive/tomcat-users/msg00121.html (I can't seem to connect to the official archive, hence the link to a 3rd party copy of that email) I am using Tomcat 5.5.17 on Linux (no Apache). My connector (in the server.xml file) is: <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreType="PKCS12" crlFile="/ca/crl/crl.pem" keystoreFile="/ca/ssl/idp.p12" keystorePass="######" /> Is there a way to turn on sufficient debugging within Tomcat so that I can try and figure out what is failing. I don't see any error messages in my tomcat.log file at all. I don't know if it is even trying to parse the crlFile, failing to parse the file, or if it is failing later to recognize the certificate is revoked. Thanks, Jeff Krug --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]