I have implemented Client Authentication to my Tomcat Server. I have distributed client X509 certificates and JKS which were generated using my own CA crt and openSSL. Now i want to use CRL to block some of my clients. How to add a CRL to tomcat?...I dont find any help from Google on this.
Am answering my own question. In Tomcat Connector tag you have crlFile parameter which can be generated using openssl. The commands looks some thing like this:
openssl ca -config openssl.my.cnf -revoke certs/server.crt
openssl ca -config openssl.my.cnf -gencrl -out crl/myca.crl
And the file myca.crl is to be updated in Connector tag of Tomcat which looks something like this:
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="8443"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="one.mamoi.semdev.com.pkcs12"
keystoreType="PKCS12"
keystorePass="changeit"
truststoreFile="server.truststore"
truststorePass="changeit"
truststoreType="JKS"
crlFile="/home/ubuntu/myCA/crl/myca.crl"/>