-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve,
On 9/23/2009 11:49 PM, Steve Cohen wrote: > I have an backend application that runs under Tomcat. It does not serve > Web pages. It depends on various services that use SSL in one way or > another: > > 1) It connects with a vendor's Web Service over https:, which depends on > one of the certificates in the default cacerts file > > 2) It connects with another vendor's Web Service over https: but this > one depends on a CA certificate issued by the vendor. > > 3) It makes SSL-encrypted connections to a MySQL database using a > self-generated SSL certificate. > > I can get this to work by using keytool and importing the entire cacerts > keystore, the self-generated CA cert for mysql, and the second vendor's > ca cert into a single truststore, then Setting system properties to > point at this at app startup. > > But this feels like a real hack. So, you basically copy the system cacerts file and merge-in the two other certificates? That doesn't sound too bad to me. Another option is to simply modify the system cacerts file. I thought that the JVM would load the system cacerts file plus ~/.cacerts or something similar automatically. Have you looked at the documentation for SocketFactory and friends? Another option is to simply turn-off certificate checking for SSL connections, but I really don't recommend this except for testing environments. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq83xAACgkQ9CaO5/Lv0PBetgCfQKIyryVLRtOu3Mcr6Z2/Stnr W5UAoLLPqNnbfHl9ZfcPwpDf2oLwEIWC =SaIR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org