Apache Tomcat SSL problem

Question

I'm trying to configure Apache Tomcat to use SSL connection with client authentication (two way authentication). My certificates are CA signed. If I put CA certificate, together with client certificates, in tomcat truststore everything is OK. If I don't put CA cert in tomcat truststore, Tomcat won't trust to clients.

Do I need CA certificate in tomcat truststore?

If I put CA certificate in truststre then Tomcat will trust to every client that have certificate signed by the same CA.

Answer 1

Yes, you need the CA in the truststore. If you are unwilling to put the CA in the truststore, you should not use the CA.

Regarding your last paragraph, you could also examine the Distinguished Name of the client certificates for further authorization.

Answer 2

You are confusing trust, or authorization, with authentication. The only purpose of SSL certificates is to prove that the peer is who he says he is, i.e. establish his identity. You need to decide whether or not you trust that CA's procedures for verifying identity prior to signing CSRs, and if so put its certificate into the truststore.

Whether you want that identity to access parts of your system is a completely different question which you must solve in a different way, via a database of roles granted to identities. This is something that LDAP is particularly good at, but you can also use a DBMS or even an XML file in Tomcat. Have a look at Tomcat Realms for how to do this.

What you mustn't do is attempt to use the truststore as that database. That's not what it's for, and not the purpose for which it or PKI was designed. Which is why you're having problems trying to use it that way.