> The server would have to have many public keys, do they need to put in one keystore?
Yes, as you're using issuer serial to reference the public key required to verify the signature. A better solution is to use Direct Reference, so the X.509 cert is included in the request. In this case, the server has all of the information it needs to verify the request and so it doesn't need to know anything about the public key of the client. All it needs to have is the public key of the CA that issued the client cert installed in the keystore, so that it can verify trust on the transmitted client cert. > what about alias field from the properties? That's not used for the server case, only for the client. Colm. -----Original Message----- From: Lukasz Lichota [mailto:[email protected]] Sent: 15 July 2009 13:56 To: [email protected] Subject: WS-S Signature - multiple public keys on server side Let's say I have a client that need to sign a message. The client uses <entry key="signatureKeyIdentifier" value="IssuerSerial" /> so the public key is preinstalled on the server. How about the case when there is more than one client, each with different key? The server would have to have many public keys, do they need to put in one keystore? what about alias field from the properties? org.apache.ws.security.crypto.merlin.keystore.alias=client what should be it's value in this case? Is such a configuration possible at all? -- View this message in context: http://www.nabble.com/WS-S-Signature---multiple-public-keys-on-server-si de-tp24497380p24497380.html Sent from the cxf-user mailing list archive at Nabble.com.
