-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Diarmuid,
(Marking as OT because this is not a Tomcat issue.) On 9/1/15 5:34 PM, dmccrthy wrote: > Sorry for the ambiguity, we're using scenario (b), outgoing client > connections. The server cert is signed by GeoTrust but we don't > have the full CA chain in the truststore, only the server cert. Okay, then you need to do the following: 1. Put your client key + signed certificate into your keystore 2. Put the server's cert (or GeoTrust's top-level CA cert and any intermediate certs that you might need) into your truststore 3. Configure your HTTP client to use the above keystore and trust store (or really just pull the client key+cert and configure them with the HTTP client... a keystore is not strictly necessary but it sometimes makes everything a bit easier if the HTTP client library can work with the keystore instead of individual Java objects) That should be all you need to do. If your HTTP client library can detect the system properties you've already set, then that's great. If it can't, you'll need to use actual Java code to configure it properly. If the above doesn't work, please provide stack traces when you get errors. Since OpenSSL s_client works, your client key+cert are working and you just need to get the configuration of your own client right. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV5vHSAAoJEBzwKT+lPKRYnGYP/0s5tT+8vNQW4EaNquYLU94R 5VcbiPQRARJ/Q8bkTSPKFUALU6+l7wIhrEdVTNa4RgmHYEYn08F9/9mdre0ydOpv 1LJF1D6fjQeKvmbD3vLCfxad4YepurzD2gIhcQ38lcXPh0lGoANfFRaklX+jggRb oQ+B4z89cTC3+HELckUqbftUjoSs1vbaogcbQo7jXL1z+Iwe0510A4ijud5sDkUe xdFdU8PA3w9VbNMGAwtxYmvKEtwg3zzm45rvUafCHHbfQgXk9MTM+rl+dlxDdEpM J7Rmt2j84dnl/uAQdVMEoN9ELf8KoSd36BiIgT1Yn2U08GFu1UUCkiKfPvc69jvp beeHma6iZFdxYnPkbZcinKdXAuqlm+n6k8IMSkuN+iLP6wzoeI9hdWTJYi21pdrb 43Leh7xk41QLhRiySB7M55YVk/H13ZJHHQvNm1zTwaRutuwyKvb9t8srZ/a7eEe0 FZVyB4soRLoLco2KzYHboYhyCsLjgP30MzmJwLqAUm2JU8rAWLhpwXFLrPt0rURn NNybVH+Nle2FXJ8SQkYo3PjzFwQlIRMnxhcAkl/i3GWG5QH5QirXAgJ2AI5UEj+t 3TIKEZKe3eAm6u0CNXoux8iVgkTDZHmqp/WtHr0nwIUMYaN7KOGWsm4wGAvBOg/O 6uNejioO4Kcu4/ZrVe8p =vCLy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
