问题
I have implemented Client Authentication to my Tomcat Server. I have distributed client X509 certificates and JKS which were generated using my own CA crt and openSSL. Now i want to use CRL to block some of my clients. How to add a CRL to tomcat?...I dont find any help from Google on this.
回答1:
Am answering my own question..In tomcat connector tag you have crlFile parameter which can be generated using openssl. The commands looks some thing like this
openssl ca -config openssl.my.cnf -revoke certs/server.crt
openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl
And the file myca.crl is to be updated in connector tag of tomcat which looks something like this
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="one.mamoi.semdev.com.pkcs12"
keystoreType="PKCS12"
keystorePass="changeit"
truststoreFile="server.truststore"
truststorePass="changeit"
truststoreType="JKS"
crlFile="/home/ubuntu/myCA/crl/myca.crl"/>
来源:https://stackoverflow.com/questions/10493436/certificate-revocation-list-in-tomcat6