Thanks for the reply IssuerSerial needs to be used because I'm thinking about the case when the client's certificate it's not signed by any CA (e.g. was obtained from the service provider company)
Colm O hEigeartaigh wrote: > > >> The server would have to have many public keys, do they need to put in > one keystore? > > Yes, as you're using issuer serial to reference the public key required > to verify the signature. A better solution is to use Direct Reference, > so the X.509 cert is included in the request. In this case, the server > has all of the information it needs to verify the request and so it > doesn't need to know anything about the public key of the client. All it > needs to have is the public key of the CA that issued the client cert > installed in the keystore, so that it can verify trust on the > transmitted client cert. > >> what about alias field from the properties? > > That's not used for the server case, only for the client. > > Colm. > > -- View this message in context: http://www.nabble.com/WS-S-Signature---multiple-public-keys-on-server-side-tp24497380p24532584.html Sent from the cxf-user mailing list archive at Nabble.com.
