Raghu Saxena <[email protected]> writes: >I need to use mTLS for client auth with Financial Institutions. They've now >switched to X9 PKI, needed to add the X9 PKI root to my application's trust >store,
Just out of interest, is the trusted cert set now union( X9_root, every_CA_in_existence ) or is the X9 root siloed off? Once you've set up your trusted CA system, always check whether a random cert from GoDaddy can get in just as easily as one from the trusted CA. Or to put it another way, unless it's the free-for-all of web PKI use never use the system's trusted cert store when security really matters. This is a real issue I've run into several times, including on USG systems, and it was an actual GoDaddy cert that got them in in that case. AD being used to manage certificates are the pen-tester's gift that keeps on giving. Peter. _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
