users@glassfish.java.net

Re: GF v3 - Multiple CA's and 1 CRL

From: <glassfish_at_javadesktop.org>
Date: Wed, 27 Oct 2010 09:51:51 PDT

> On 21/10/10 11:57 PM, glassfish_at_javadesktop.org
> wrote:
> > Kumar or anyone,
> >
> > I have ...
> >
> > 2-way SSL setup with multiple CA's in my trust
> store (cacerts.jks - including CA from Kumar's
> example)
> > a single CRL from one of the CA's in the trust
> store (mine)
> do you mean the CRL was also placed in the TrustStore
> ?. Or are you just
> saying the CRL-File had a single CRL generated by one
> of the CA's ?.

[b]the CRL-File had a single CRL generated by one of the CA's[/b]

Cheers,
Eric

>
> regards,
> kumar
> > Certs from 3 different CA's in the trust model
> loaded into my browser (one from Kumar's example)
> >
> > When I present a cert from the CA that also created
> the CRL everything works. Page display's (even if it
> shouldn't - another post).
> >
> > Problem ... When I present a cert from any other CA
> and they do not have a CRL loaded (see multiple CRL's
> in another post), the certpath processing seems to
> loop about 8 times and finally dies on an exception
> (see below) and the browser shows a "The connection
> was reset" server to busy error screen.
> >
> > certpath:
> CrlRevocationChecker.verifyWithSeparateSigningKey()
> got exception
> sun.security.provider.certpath.SunCertPathBuilderExcep
> tion: unable to find valid certification path to
> requested target
> >
> > Please note that if I remove CRL processing (delete
> crl-file attribute from<ssl ... />) all the certs
> work just fine and the page is displayed.
> >
> > Any help would be greatly appreciated. (I'll let
> you write the white paper ;) )
> >
> > Thanks,
> > Eric
> > [Message sent by forum member 'eliscinsky']
> >
> >
> http://forums.java.net/jive/thread.jspa?messageID=4858
> 88
> >
> >
> ------------------------------------------------------
> ---------------
> > To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> > For additional commands, e-mail:
> users-help_at_glassfish.dev.java.net
> >
>
>
> ------------------------------------------------------
> ---------------
> To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail:
> users-help_at_glassfish.dev.java.net
[Message sent by forum member 'eliscinsky']

http://forums.java.net/jive/thread.jspa?messageID=486360
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.