Hello Christopher, It makes sense, thank you very much for your advice!
Cheers, Luis El lun., 1 oct. 2018 a las 20:39, Christopher Schultz (< ch...@christopherschultz.net>) escribió: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Luis, > > On 10/1/18 11:06 AM, Luis Rodríguez Fernández wrote: > > Agree with Christopher, you have to fix your client. Just get the > > root Certificate Authority public key and import it in your client > > truststore. > > I'd recommend trusting the finest-grained cert you can get away with. > That might not always be the root CA cert. It might be the server's > cert directly. > > > If you did not change it the client (java) the default keystore is > > located in $JAVA_HOME/jre/lib/security/cacerts. Something like: > > > > keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts > > -storepass trust_store_password_here -alias Root -import -file > > the_downloaded_ca.crt > > > > The default password for cacerts is changeit > > FWIW, I wouldn't recommend changing the JVM's trust store. I say so > for two reasons: > > 1. You will be trusting that certificate for ALL JVMS LAUNCHED > AFTERWARD. Perhaps you don't want some other service to trust your > 192.168.1.120 certificate when it's only supposed to be used with a > single client service. > > 2. You will have to remember to update the trust store every time you > change your Java installation. That means upgrades, downgrades, etc. > > The best way to do this IMO is to create a trust store specific for > that service (client) and use it EXPLICITLY. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluyafIACgkQHPApP6U8 > pFijGRAAr8BXcoObcsRM/n++276xFYoAJPGKigExp6wpLjI0iHasPpXC0BPaMInb > w7ZkgwAY77Qq7jCcUB8FGrBQXo+axN2r8MVsghV/UyTIwnZyKDM0lb4z6d6016Bc > fQjoalUal857FH20PRAv5U+GrrpNcE7Mua5yu6eTqlMpX2hC0kBCc+oaH6xmtZr/ > lvtn9UK5/ymS83yW5sxxYRa3uEnFf6U2EFJoWKGraEOHquEiX01Jn5nOYxccyPMT > TtjZ+yzkc/gvBTsme0ZVdOXTK9m+0Q10f/Fgc4bidSb9ZybaBcm8YsOqpqjP9poC > YU4KtJP7BsJbMVzNV7YFlmIDlOVXwzk84oqEj8trbUe8AtJnq9gCLFp6/1ElmXE4 > xP26Gw1ck2vqQC/4u43HsiBegLFaBUorjNw3fWkf3PTiqSXHjXToJK9oYRv1DNkr > SV8dlnujLbqmDQWag2FHTkE6Ka5sFBdbeFUdFP0Qd7jkhmErr5nziO1RtZ1bkIUz > MaCYdpLR+OdU1XMrENnLHRedmpjDXp4UA1/mqr/PSMadQrlK7Z4fF5UVurXFWn7Z > C+HNYzoSmvUL+y1KsficoK3ZGthUpkgApFFbFh3aSKdm07V+Xt1KK6sRndcjdoff > KtU/sG0d0SSLnJmRCJHINRSOccmHZUiWGJ9+UXXE2Gd4nEw43r4= > =okQm > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
