To clarify my response - just adding the certificate authority works for
making SSL connections, and should also work for WS-Security signing if
configured properly, but in order to use WS-Security encryption inbound
to the server you'd still need to add the individual certificate for
that server.
- Dennis
Dennis Sosnoski wrote:
Hi Glen,
It really depends on what you want to do. If the server is just using
a self-signed key there's no actual chain involved, so this issue only
arises when the server is using a certificate issued by a private
certificate authority (since if they're using one of the "official"
public authorities the signing certificate will already be trusted).
Do you want to be able to work with all services using certificates
issued by this authority? If so, then you're best off just importing
the authority's signing certificate. Otherwise there's no benefit, and
you're best off just importing the specific certificate for that service.
This issue more often comes up when a service needs to work with
client certificates which are issued by a private certificate
authority. A private certificate authority is a great approach for
when you have a lot of separate client systems needing to access
services, since it gives you the added security of client certificates
without the cost of paying for each certificate.
- Dennis
