Hi Jeff,
you have the keystore type set as PKCS12 even though the CRL is a PEM
format file (and hence not PKCS12 format).
PKCS12 contains the private key as well as the cert and public key -
which is not applicable for the CRL file so this might be why it is
getting confused.
You could try removing the keystoreType field and building the
keystores as described on my page (as the method described there
definitely works).
http://jack.godau.googlepages.com/jbosscertificatesandopenssl
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreType="PKCS12" crlFile="/ca/crl/crl.pem"
keystoreFile="/ca/ssl/idp.p12"
keystorePass="######"
/>
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="true"
sslProtocol = "TLS"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="123456"
truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
truststorePass="123456"
crlFile="${jboss.server.home.dir}/conf/server.crlFile" />
On 10/05/06, Jeff Krug <[EMAIL PROTECTED]> wrote:
Fri, May 05, at 04:31:PM : Jack has proclaimed:
> I have already gotten Tomcat to work with a (single) CRL, and as it
> was a bit of a struggle have placed some info for those trying to do
> this at [1]. The document is far from perfect, and any comments are
> welcome.
>
> [1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl
Thanks for this page. I am not using JBoss, but it has been useful. I
have client certificate authentication working correctly, but I cannot
seem to get CRLs to work.
I built my CRL by executing:
$openssl ca -batch -gencrl -crldays 30 -out crl.pem
This way every user certificate I revoke can be packaged in a single
CRL. Is this type of CRL legitimate for use in Tomcat?
If it is a standard format CRL I would think so.
Is there a way to turn on sufficient debugging within Tomcat so that I
can try and figure out what is failing. I don't see any error messages
in my tomcat.log file at all. I don't know if it is even trying to
parse the crlFile, failing to parse the file, or if it is failing later
to recognize the certificate is revoked.
Again not sure on this point. I went with the prolonged trial and
error method :(
Cheers
Jack...
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
