-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
To answer your question about Tomcat and the null certificate, you are correct in suspecting that Candlepin does it's own certificate validation after Tomcat. We do this to allow multiple forms of authentication and we also need some information out of the certificate (namely the CN).
Having looked at the code, let me amend that a little. If a client cert is provided, Tomcat will verify that it is signed by the CA listed in the Tomcat connector's truststore. If so (or if no cert is provided), the request moves to Candlepin. Candlepin will examine the request and perform its own authentication steps. In the case of client certificate authentication, Candlepin introspects the certificate and grabs the CN so we know exactly who we are talking to. - -------------- Regards, Alex