Dear list, while playing with the Fediz IDP / STS, some questions arose in the context of certificates used:
In the sample keystores of IDP (clientstore.jks) and STS (stsstore.jks), there are a number of certificates included: IDP (clientstore.jks) - mystskey, Feb 9, 2011, trustedCertEntry - myservicekey, Feb 28, 2011, trustedCertEntry - myclientkey, Feb 9, 2011, PrivateKeyEntry STS (stsstore.jks) - mystskey, Feb 9, 2011, PrivateKeyEntry - myservicekey, Feb 9, 2011, trustedCertEntry - myclientkey, Feb 9, 2011, trustedCertEntry We currently have the following understanding: - mystskey: private key of the STS, used for signing the requested token (???), imported into IDP trust store for the SSL connection to the STS (in case the STS key is used as the SSL certificate) - myservicekey: purpose unclear - myclientkey: private key of the IDP, used to authentication against the STS, if client authentication is enabled Is our understanding correct so far? It would be great if someone could shed some more light on the various certificates involved and their purpose. A few other questions in this area: - is (or should) the IDP use mutual SSL authentication to the STS? - which certificates need to be known to the Tomcat plugin? The STS certificate for validating the token? Or is the Tomcat plugin ever connecting to the IDP issue URL and therefore would also need to have the IDP HTTPS endpoint certificate in the trust store? Thank you & regards, Christian
