Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it possible to disable Tomcats check for extended key usage which defines purpose(server, client) of a SSL certificate?
In my certificate the extended key usage(purpose) is set to SSLServer, but I need this certificate for client authentication too.
I was wondering if it is possible to skip this check in Tomcat?
No, it’s not possible.
Firstly, it’s the responsibility of whatever “consumes” the certificate (i.e. the entity that has to validate and verify it) to check the attributes. If you want to use an application within your Tomcat server to connect to another server, using client authentication, your application within Tomcat is then a client as far as that connection is concerned. It’s up to the server you’re connecting to to decide what it wants to check (and it will indeed check the extended key usage if this extension is present and if it can understand it).
Secondly, changing the extended key usage extension from your side would imply changing the certificate itself. By nature, this should only be possibly if the CA makes these modifications and gives you a new certificate accordingly.
This being said, a number of CAs seem to enable both TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) and TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) in the certificates they issue for servers, without any extra option.