axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dennis Sosnoski <...@sosnoski.com>
Subject Re: Trusting entire certificate chain?
Date Thu, 04 Jun 2009 22:19:29 GMT
Hi Glen,

It really depends on what you want to do. If the server is just using a 
self-signed key there's no actual chain involved, so this issue only 
arises when the server is using a certificate issued by a private 
certificate authority (since if they're using one of the "official" 
public authorities the signing certificate will already be trusted). Do 
you want to be able to work with all services using certificates issued 
by this authority? If so, then you're best off just importing the 
authority's signing certificate. Otherwise there's no benefit, and 
you're best off just importing the specific certificate for that service.

This issue more often comes up when a service needs to work with client 
certificates which are issued by a private certificate authority. A 
private certificate authority is a great approach for when you have a 
lot of separate client systems needing to access services, since it 
gives you the added security of client certificates without the cost of 
paying for each certificate.

  - Dennis

-- 
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117



Glen Mazza wrote:
> Hello, for making a web service call over SSL we have added the server's
> public key into our SOAP client's truststore--evidently necessary for
> verifying the signature of the service response and also encrypting what is
> sent to the web service provider.  It works so far as-is.  But I was
> wondering--is it a cleaner/safer design, or actually not called for due to
> security issues, to actually import and trust the entire certificate chain,
> up to the root certificate, into the SOAP client's truststore?  I'm using a
> Java jks keystore, by the way. 
>
> Thanks,
> Glen
>
>   

Mime
View raw message