Hi, As per the documentation in [1], the certificate of CA, which issued the client certificate, should be added into the JVM trust store. Please find the following concerns regarding this.
- We should add the CA certificate which issued the client certificate, as a certificate authority in the browser. So that will be added to the root certificate store in browser. The CA certificates in root certificate store, will determine which endpoints we will be allowed to communicate with, in this case it will allow the client to connect to whichever server presents a certificate which was signed by one of the certificate authorities. - During the mutual SSL with X509 authenticator, there is no need to consider JVM trust store in client side, since this is a direct call from browser to the server. - During the mutual SSL with X509 authenticator, there is no need to consider JVM trust store in server side, since in server side, we have a configured trust store. JVM trsust store is needed, if only the server configured trust store is not loaded into the SSLContext. So that, AFAIU, it is not needed to add CA certificate into JVM trust store either in client or server side. WDYT? Appreciate your ideas on this. [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-Workingwithcertificates Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email [email protected] Mobile 0772182255
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
