I am using Rampart 1.4 with Axis2 1.4.1. We are signing and encryption the soap body.
On the server side to support multiple clients, we have specified the value "useReqSigCert" for the parameter ramp:encryptionUser. On the client side, we have specified the alias of server certificate as the value for the parameter ramp:encryptionUser. My question is around key rotation. Case 1: Client has a new certificate. ----------------------------------------------- As per my understanding this should be as simple as importing the new client certificate in the server keystore with a new alias. Since we don't use client certificate alias names on the server side, as and when client starts sending us request signed with new certificate, the server will start using the new certificate to verify signature and encrypt the response. Please confirm if my understanding is correct. Case 2: Server has a new certificate ----------------------------------------------- Without the need to synchronize client and server deployment activities, I am not sure how this can be done without a downtime as the server certificate alias name, which is tied to old certificate, is used in rampart configuration. Any suggestions? Is there any best practices document available with details on this topic. Thanks in advance, Rajan