tomcat ssl apr x509
https://stackoverflow.com/questions/11040212
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
This is my first question in this forum, please accept my apologies for any mistake in advance. I have a problem configuring tomcat with SSL and APR.
Context: tomcat 7, Java 7, OpenSSL, a couple of valid x509 certificates.
My https connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
SSLVerifyClient="require" SSLVerifyDepth="3"
SSLCertificateFile="${catalina.home}/security/server.pem"
SSLCertificateKeyFile="${catalina.home}/security/server.key"
SSLCertificateChainFile="${catalina.home}/security/trust.pem"
SSLCACertificateFile="${catalina.home}/security/trust_ca.pem"
/>
PKI tree:
ROOT -> CA_intermediate -> CA4Servers -> server (tomcat)
-> serv2Cert
-> CA4People -> people1Cert
A windows pc client with 2 certificates in windows keystore (Windows-MY): people1Cert and serv2Cert
trust.pem include ROOT, CA_intermediate, CA4Servers and tomcat pem encoded public key. trust_ca.pem all of trust.pem but tomcat cert.
What I want:
Go to https://tomcat.server:8443/, browser presents me the certificate chooser dialog with ONE certificate: serv2Cert, I select it and get into the web page succesfully. If I select another certificate, server presents me an error page.
My problem: When I get the certificate chooser dialog, I see 2 certs: serv2Cert and people1Cert (?). Both of them let me go to the web page! If I change SSLVerifyDepth or trust_ca.pem to limit the client certificates to only serv2Cert, I get SSL errors like unknown ca or unknown certificate
I've already tried with some SSLVerifyDepth values like 1,2,3,4. Only "3" let me log into the server. If I remove all CA certs from trust_ca.pem but ROOT, let me login with both client certificates (people1Cert and serv2Cert).
I will apreciate any help about this, sorry for my poor english, thank you in advance. Best regards.
Solution
You can't do this with Tomcat. It is very inflexible about SSL. Note that you are configuring for the entire Tomcat container, not a single web app. I recommend you put an Apache HTTP in front of Tomcat, i.e. as a reverse proxy. Apache HTTPD lets you configure every aspect of SSL, including acceptable client identities, right down to the level of individual directories.
