Hi Mark, thans a lot for your comments. The problem is that I found a way to generate via API a PKCS12 keystore for my client, but it won't be based on my server's certificate.
I could not find a way to auto-enroll users using openssl and Java, I mean control openssl commands from Java to create PKCS12 keystores they can import, already signed by my server certificate, so that my server will trust in them without having to reload the Truststore (if I understood well you last paragraph). That's why I was looking into this problem, once I was able to create these clients certificates via API ( CertAndKeyGen.getSelfCertificate() ) and store the client certificates into my truststore, I thought the natural next step was to reload the truststore in some way, because these certificates are not linked to my server-certificate and the server must verify them. It seems I have to resort to openssl to sign them with my server's certificate, but I don't know how to do that programatically with Java. I searched the tomcat archives and found that others comfronted this problem and probably shared my misconception of the certificate system, but no one reported it as solved, either by doing it the right way via openssl or finally implementing a trustManager, or something like that using JSSE APIs (which is what I would prefer). Thanks for the links anyway, if you have some resource about controlling the process via openssl with Java, please share it with me. Regards. On 6/11/07, Mark Claassen <[EMAIL PROTECTED]> wrote:
Humm. I don't think this is how the certificate system is supposed to be used. The intention is that the truststore handles certificates authorities you trust. For an example, let's switch to the browser. Browsers generally trust Verisgn and Thwart out of the box. You can see these certificates in your browser's options pages. So, let's say you go to amazon.com. Amazon will have a certificate that was created for them by, say, Verisign. Your browser will get the amazon certificate and see that it was created by verisign. Since your browser already trusts verisign, it will trust that amazon is who it says it is. (Verifying identity is the certificate's primary function.) Tomcat works the same way. So, in your case, maybe you want to create your own certificate and put it into your truststore. Then, as you create certificates for other's, you create them based on the certificate you loaded into your truststore. Since Tomcat already trusts this one, all the certificates you create and give to others will also be trusted...no reconfiguration necessary. Mark Some helpful links: http://www.tc.umn.edu/~brams006/selfsign.html http://www.openssl.org/docs/apps/x509.html http://www.openssl.org/docs/apps/pkcs12.html -----Original Message----- From: Ronald Spiers [mailto:[EMAIL PROTECTED] Sent: Monday, June 11, 2007 10:21 AM To: users@tomcat.apache.org Subject: Reloading keystore - how to register a new TrusStore Manager for Tomcat? Hi, I am preparing a self enrollment webapp for generating client certificates and adding them to the server keystore. I know that Tomcat won't reload keystore unless the server is restarted, so I did look for alternatives, and the JSSE guide explains an approach to this in the section "Creating Your Own X509TrustManager". My question is: Does anybody in this list have some experience solving this problem?, providing tomcat a custom trust manager to dynamically add a client certificate to the verification path when client credentials are presented? Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I am just wasting my time ;) I have searched a lot in the last 3 days, tomcat list archives and other materials, I have not found a single solution to this problem, except for the JSSE guide and this article, that explains how to create a trustManager and a SSLContext for implementing S/MIME with JavaMail: * http://www.javaworld.com/javatips/jw-javatip115.html Thanks a lot for any feedback you can provide. Regards, Martin --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
