Using the keytool, I generated a couple of client trust/key stores and a server trust/key store to setup two way ssl authentication. I used a single jks file as both the trust/key store for each client/server.
I've setup the tomcat 6 secure connector to require the client to present it's cert . <Connector SSLEnabled="true" clientAuth="true" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" keystoreFile="conf/server.jks" keystorePass="myPassword" keystoreType="JKS" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" truststoreFile="conf/server.jks" truststorePass="myPassword" truststoreType="JKS"/> For the most part, the setup seems to be working fine. Tomcat allows request from clients with valid certificates (trusted/valid date range) and denies clients with unknown certificates (i.e. wasn't imported into server trust store). However, I had one case where I purposely created a client certificate to be valid for only 1 day in order test expired certificates. Even though we were well past the valid date range of the certificate, it didn't seem that Tomcat checked the expired date range during the certificate validation and allowed the request to proceed? I believe that the check happens in X509Certificate.checkValidity(date) method, but debugging from eclipse, it doesn't seem like this method was ever called. I've checked most of the message boards and people seem to have the opposite problem (i.e. expired certificate preventing access and they need to renew/replace). I figured that this check should happen by default and did not find any additional attributes on the Connector to indicate that it was something that needed to be specified explicitly. Any insights will be greatly appreciated.
