I'm running Tomcat 6 on Windows and would like to have Tomcat use a different trust store other than cacerts for Java client web requests. I've tried adding this setting:
-Djavax.net.ssl.trustStore="C:\ca.keystore"
To the registry in key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java
That doesn't seem to work though. It still uses the JRE cacerts store. Our Java code makes web requests to HTTPS endpoints and I would like to keep the certificates in a key store other than the JRE one because it gets removed when java is uninstalled/updated.
But Tomcat still uses cacerts. I think the truststoreFile is just used to store client certificates from a client using a web browser and only used when clientAuth is set to true.
Tomcat truststores are used to validate client certificates. On the Ubuntu OS, by default Tomcat uses the "cacerts" file as the CA trust store. The file is located in the /etc/ssl/certs/java/ folder with a link to the file in $JAVA_HOME/lib/security/cacerts.
'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.
Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification. Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.
Turns out I was missing trustStorePassword
. Here is the solution:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java
-Djavax.net.ssl.trustStore="C:\ca.keystore"
-Djavax.net.ssl.trustStorePassword="password"
Update: There seems to be some confusion in some of the comments here between what this setting and truststoreFile
from server.xml
do. I created a blog entry to explain the problem (in great detail) and how this solution addresses it and why the changing server.xml
does not.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With