> My question is why do I have to add these certificates to the keystore at > all? They validate fine in a browser (in fact, that is where I always get > the x.50- certificate from... by exporting it through the browser).
The reason they validate fine in a browser is because browsers come with a pretty large set of root certificates. The JVM does not. My guess is you could import all of the root certificates from your browser into your JVM if you really wanted to, and not have to worry about anything for quite a while. Now, the fact that browsers come with so many trusted certificates is actually kind of a problem - when someone misuses a CA cert, it can be hard to ensure that the cert they fraudulently create isn't trusted by browsers by default. There isn't really a good universal revocation process. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349870 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
