Humm. I don't think this is how the certificate system is supposed to be used. The intention is that the truststore handles certificates authorities you trust.
For an example, let's switch to the browser. Browsers generally trust Verisgn and Thwart out of the box. You can see these certificates in your browser's options pages. So, let's say you go to amazon.com. Amazon will have a certificate that was created for them by, say, Verisign. Your browser will get the amazon certificate and see that it was created by verisign. Since your browser already trusts verisign, it will trust that amazon is who it says it is. (Verifying identity is the certificate's primary function.) Tomcat works the same way. So, in your case, maybe you want to create your own certificate and put it into your truststore. Then, as you create certificates for other's, you create them based on the certificate you loaded into your truststore. Since Tomcat already trusts this one, all the certificates you create and give to others will also be trusted...no reconfiguration necessary. Mark Some helpful links: http://www.tc.umn.edu/~brams006/selfsign.html http://www.openssl.org/docs/apps/x509.html http://www.openssl.org/docs/apps/pkcs12.html -----Original Message----- From: Ronald Spiers [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 10:21 AM To: users@tomcat.apache.org Subject: Reloading keystore - how to register a new TrusStore Manager for Tomcat? Hi, I am preparing a self enrollment webapp for generating client certificates and adding them to the server keystore. I know that Tomcat won't reload keystore unless the server is restarted, so I did look for alternatives, and the JSSE guide explains an approach to this in the section "Creating Your Own X509TrustManager". My question is: Does anybody in this list have some experience solving this problem?, providing tomcat a custom trust manager to dynamically add a client certificate to the verification path when client credentials are presented? Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I am just wasting my time ;) I have searched a lot in the last 3 days, tomcat list archives and other materials, I have not found a single solution to this problem, except for the JSSE guide and this article, that explains how to create a trustManager and a SSLContext for implementing S/MIME with JavaMail: * http://www.javaworld.com/javatips/jw-javatip115.html Thanks a lot for any feedback you can provide. Regards, Martin --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
