Hi Glen,
It really depends on what you want to do. If the server is just using a
self-signed key there's no actual chain involved, so this issue only
arises when the server is using a certificate issued by a private
certificate authority (since if they're using one of the "official"
public authorities the signing certificate will already be trusted). Do
you want to be able to work with all services using certificates issued
by this authority? If so, then you're best off just importing the
authority's signing certificate. Otherwise there's no benefit, and
you're best off just importing the specific certificate for that service.
This issue more often comes up when a service needs to work with client
certificates which are issued by a private certificate authority. A
private certificate authority is a great approach for when you have a
lot of separate client systems needing to access services, since it
gives you the added security of client certificates without the cost of
paying for each certificate.
- Dennis
--
Dennis M. Sosnoski
Java XML and Web Services
Axis2 Training and Consulting
http://www.sosnoski.com - http://www.sosnoski.co.nz
Seattle, WA +1-425-939-0576 - Wellington, NZ +64-4-298-6117
Glen Mazza wrote:
Hello, for making a web service call over SSL we have added the server's
public key into our SOAP client's truststore--evidently necessary for
verifying the signature of the service response and also encrypting what is
sent to the web service provider. It works so far as-is. But I was
wondering--is it a cleaner/safer design, or actually not called for due to
security issues, to actually import and trust the entire certificate chain,
up to the root certificate, into the SOAP client's truststore? I'm using a
Java jks keystore, by the way.
Thanks,
Glen
