Hey - sorry to be so slow in replying.
Not so sure about how tomcat would go about this in detail, but if
Winstone were to do it, it would be limited by whatever limitations the
JSSE components placed on reloading.
My guess (and I really mean guess here, because I have no experience at
all with this), would be that it would be a security risk to allow
reloading of certificates at runtime because you couldn't guarantee the
keystore in memory was the one on disk, so I suspect most
implementations would disallow reloading of the same keystore. They
might however allow loading of additional keystores, so you might be
able to work around the limitation at container level by shutting down
all open SSL sockets, and re-opening the listener with a new keystore
file configured (i.e. with new filename or something).
Note: as I said, I have no experience with this, so I might be
misleading you. I don't really have the time to research it, but if
someone can propose a solution or patch, I'll integrate it.
Martin Cordova wrote:
> Hi Rick, I am doing some tests with client certificate authentication,
> using Tomcat 6, and a webapps that allows for dynamic enrollment, I
> mean, client can generate his/her PKCS12 keystore via web, and the
> server will add it to the server trustStore, the client will import
> this Keystore into the browser and client_cert will work just fine...
> well, that's what I thought.
> The problem is that Tomcat6 cannot reload the KeyStore (as far as I
> know) so this dynamic enrollment scenario cannot work.
> My question is: I know that Winstone supports client_cert, what would
> be your suggestion about changing the Winstone code to support
> keystore reloading? Do you think that Winstone's design for this task
> will support this without complex code modifications?
> I just can't see how dynamic enrollment and CLIENT_CERT authentication
> can work (via JSSE) if there is no chance to reload keystores. This
> topic has been posted in tomcat list during the last years, without
> receiving an effective solution. I can't affor to restart the server
> everytime a new user enrolls himself.
> Thanks a lot in advance for any comment.