I say that truststoreFile should not contain private keys. Imagine that you want to trust on clients which are signed by e.g. Verisign CA 1. Then, you cannot add Verisign CA 1 private key to your truststore, obviously, because it is secret. Moreover, to verify that a certificate is issued by Verisign you only need to check the client certificate signature with Verisign PUBLIC key, which is is included in the certificate. That's why truststoreFile should not contain private keys. In fact, openSSL has something similar to truststoreFile ehich contains CA certificates (only certificates).
Any other comments? Regards.----- Original Message ----- From: "Martin Gainty" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres - UPF" <[EMAIL PROTECTED]>
Sent: Tuesday, October 24, 2006 8:25 PM Subject: Re: problem with truststoreFile in server.xml
Which other algorithm do you suggest to uniquely identify the cert contained within the keystore?a sequence number? a reference to an object?The key (which is tied to the cert) uniquely identifies that particular cert in your keystore fileSaludos Cordiales! M-This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or itscontents----- Original Message ----- From: "Víctor Torres - UPF" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org>; "Martin Gainty" <[EMAIL PROTECTED]>Sent: Tuesday, October 24, 2006 11:55 AM Subject: Re: problem with truststoreFile in server.xmlThanks, but this does not solve my problem.What I can see in your directions is that you are using JKS keystore and youare importing the certificate and the private key.What I was saying is that it should NOT be necessary to import the private keys into a truststoreFile. In fact, when I use as truststoreFile a PKCS12 with the certificate and private key it works. It fails when the PKCS12 onlycontains the certificate. This seems to me strange. Any other suggestions?----- Original Message ----- From: "Martin Gainty" <[EMAIL PROTECTED]>To: "Tomcat Users List" <users@tomcat.apache.org>; "Víctor Torres - UPF" <[EMAIL PROTECTED]> Sent: Tuesday, October 24, 2006 5:41 PM Subject: Re: problem with truststoreFile in server.xmlHello Victor- you may want to follow the directions on how to create an empty keystore and then import Import the private key/certificate chain into the java keystore using extkeytool http://www.switch.ch/aai/certificates/certificateupdate.html then take a look at the keys afterwards at keytool -v -list -keystore www.example.edu.jks Anyone else? M--This e-mail communication and any attachments may contain confidential andprivileged information for the use of thedesignated recipients named above. If you are not the intended recipient,you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents----- Original Message ----- From: "Víctor Torres - UPF" <[EMAIL PROTECTED]>To: <users@tomcat.apache.org> Sent: Tuesday, October 24, 2006 9:14 AM Subject: problem with truststoreFile in server.xmlDear all,I have configured my Tomcat 5.5.17 to require SSL client authentication.Forthis purpose, I have stored my root CA certificate into a PKCS12 keystorewhich I use as truststoreFile by configuring server.xml. This CA certificate is used to sign user certificates that I want to be trusted. The problem I have is the following: - truststoreFile (PKCS12) contains root CA certificate + private key -> everything works perfectly.- truststoreFile (PKCS12) contains root CA certificate -> clients cannotconnect.truststoreFile should not contain private keys, so why does Tomcat behavein this way? Thanks in advance. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
keystore.p12
Description: application/pkcs12
Bag Attributes localKeyID: C0 36 19 07 AD C4 88 97 A8 5E 72 6F 6B 09 EB E5 E6 F1 29 5C friendlyName: AXMEDIS AXCS CA subject=/O=AXMEDIS/OU=AXMEDIS AXCS CA/C=ES/CN=AXMEDIS AXCS CA/emailAddress=axmed [EMAIL PROTECTED] issuer=/O=AXMEDIS/OU=AXMEDIS AXCS CA/C=ES/CN=AXMEDIS AXCS CA/emailAddress=axmedi [EMAIL PROTECTED] -----BEGIN CERTIFICATE----- MIIClDCCAf2gAwIBAgIBATANBgkqhkiG9w0BAQUFADB3MRAwDgYDVQQKEwdBWE1F RElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0ExCzAJBgNVBAYTAkVTMRgwFgYD VQQDEw9BWE1FRElTIEFYQ1MgQ0ExIjAgBgkqhkiG9w0BCQEWE2F4bWVkaXNAYXht ZWRpcy5vcmcwHhcNMDYwMTI1MTcwMjA0WhcNMTIwOTIwMTcwMjA0WjB3MRAwDgYD VQQKEwdBWE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0ExCzAJBgNVBAYT AkVTMRgwFgYDVQQDEw9BWE1FRElTIEFYQ1MgQ0ExIjAgBgkqhkiG9w0BCQEWE2F4 bWVkaXNAYXhtZWRpcy5vcmcwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBALJZ 0tbmJ6doyUvjYWTC2fx52XqrklMUDlvxd1EZdzHW91QNJQnnuf/uCnCm4m1W6S0u 3X+Fq6hWALaQifNfa9vzwpjgWEJTXZ8GTmsDkct9MG4KLSDE37TntJqWQL3qJsEK 1pw/BQB84lE87kTP4BmY5itsNjfT/AORB5sm7jbVAgERozIwMDAdBgNVHQ4EFgQU wDYZB63EiJeoXnJvawnr5ebxKVwwDwYDVR0TBAgwBgEB/wIBADANBgkqhkiG9w0B AQUFAAOBgQCStM4x3dMb8l0O0Z8roTpqBey4ushaQkxbNf+tcOom0O45bqXz8MrI 7nLGicp6GadZDmVVhzYZXXB8EWOLKJ8aXhnKrnk9KQ4vnOR3CURF41ZKA/jAKwNN +wbbHiJ/5GUcjWEFQcpdXqt6n27GkY8w3vyqDO7J6GsgxwdOLH0Wow== -----END CERTIFICATE----- Bag Attributes friendlyName: Other cert friendlyName: Other cert localKeyID: F2 FF F4 87 F1 56 0F B7 3A 6E 5F 6D 49 0E 0B 5C 64 79 FF 5D subject=/O=AXMEDIS/CN=ITO_17eae211-5710-35fb-8f1d-ce160de3e98a issuer=/O=AXMEDIS/OU=AXMEDIS AXCS CA/C=ES/CN=AXMEDIS AXCS CA/emailAddress=axmedi [EMAIL PROTECTED] -----BEGIN CERTIFICATE----- MIIC4jCCAkugAwIBAgIEO5rMKDANBgkqhkiG9w0BAQUFADB3MRAwDgYDVQQKEwdB WE1FRElTMRgwFgYDVQQLEw9BWE1FRElTIEFYQ1MgQ0ExCzAJBgNVBAYTAkVTMRgw FgYDVQQDEw9BWE1FRElTIEFYQ1MgQ0ExIjAgBgkqhkiG9w0BCQEWE2F4bWVkaXNA YXhtZWRpcy5vcmcwHhcNMDYxMDI0MTE0ODM1WhcNMTAxMDIzMTE0ODM1WjBFMRAw DgYDVQQKEwdBWE1FRElTMTEwLwYDVQQDDChJVE9fMTdlYWUyMTEtNTcxMC0zNWZi LThmMWQtY2UxNjBkZTNlOThhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCX 0nRW0eZQnBLYrMUYkbnHiXMF9UniEPQL0CRB+QR6VUipXowj281vqeQpRnewkTUw y/imyDQztboIxkvV+qNPCFx2zYwWQQSMlGZAK0XJ6OBMcDI4bkYvDJaJCXdey95m x7UNGD/PSE87q5yhqaZDAtl5TEcEG9O2zPumM1P8gwIDAQABo4GsMIGpMB0GA1Ud DgQWBBTy//SH8VYPtzpuX21JDgtcZHn/XTAfBgNVHSMEGDAWgBTANhkHrcSIl6he cm9rCevl5vEpXDBnBgsrBgEEAYHHaAEBAQRYZ0tnK09ZZUEzY2FDVGM0ZnA0Ym5o VnhqamxkL0l3SU9kT0o1dlJMVmtoUUl1T0dOOG9CU3JaZlR5bk5ra2UyVC9uN2Rm KzBFU3dxMlRRV3pQQmhvQmc9PTANBgkqhkiG9w0BAQUFAAOBgQCaP+ZKmH5eU/BG HqQRhvI8XQ4gdTeZp+TA0UxBFSLaV/mxJ5MfeXo2wYhuxcKlVA6+Utpn5Me2/7+p tRFIGMEi9HN3ThF8Pm+p3lhhuFOm30D81Ow8djmCw87fprOTSLHS2lftaI9dBl4P k07ZYw5Qj+uvs/oOeK3xtInSMCKWmw== -----END CERTIFICATE-----
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
