Http with client certificate authentication

[Alex O'Ree <al...@apache.org>]

Howdy folks,

If I setup a tomcat connector in server.xml with clientAuth="true" and have
the key store for tomcat and a trust store is the following true?

- all public key certificates issued by CA's the trust store are allowed in?
- all user public key certificates in the trust store are allowed in
(assuming their CA's are also in the same trust store)?
- are the JRE's "cacert" file merged in with this trust store? (this is
normally the case but i figured i'd ask for clarity)


Finally regarding certificate validation:
- i'm assuming basic validation checks are performed, time checks, etc
- if the requesting user cert has a CRL or OCSP url attached to the cert,
does tomcat do anything to validate that the cert is still valid?

Regarding OCSP, I did see some documentation in the guides related to
windows native connector but I don't think i'm using that and would prefer
to remain portable to linux if possible. It's also not clear from the docs
on how or why it's used.

Re: Http with client certificate authentication

[Mark Thomas <ma...@apache.org>]

On 22/02/18 03:23, Alex O'Ree wrote:
> Howdy folks,
> 
> If I setup a tomcat connector in server.xml with clientAuth="true" and have
> the key store for tomcat and a trust store is the following true?
> 
> - all public key certificates issued by CA's the trust store are allowed in?

Yes.

> - all user public key certificates in the trust store are allowed in
> (assuming their CA's are also in the same trust store)?

Yes. There is no requirement for the issuing cert and associated chain
to a CA to be in the trust store.

> - are the JRE's "cacert" file merged in with this trust store? (this is
> normally the case but i figured i'd ask for clarity)

No.


> Finally regarding certificate validation:
> - i'm assuming basic validation checks are performed, time checks, etc

Any cert in the trust store is fully trusted without ANY validation.

Certificates not in the trust store are validated as are all certs in
the issuing chain until a cert in the trust store is reached. If no
trusted cert is reached, the client cert is rejected.

> - if the requesting user cert has a CRL or OCSP url attached to the cert,
> does tomcat do anything to validate that the cert is still valid?

CRLs should be checked if configured. Note that they are probably only
read once at Tomcat start and then cached.

OCSP requires tomcat-native

> Regarding OCSP, I did see some documentation in the guides related to
> windows native connector but I don't think i'm using that and would prefer
> to remain portable to linux if possible. It's also not clear from the docs
> on how or why it's used.

tomcat-native provides a bridge to OpenSSL. It is generally used because
it is faster than JSSE. It is available for all platforms although
binaries are only provided for Windows.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org