In my STS, I recently set up certificate constraints by setting ws-security.subject.cert.constraints on my jaxws:endpoint in my CXF config. This seems to work ok for the certificate that signs the RST messages I send up. But when the RST contains another, non-signing certificate - e.g., when using the Validate interface to validate a previously issued token - I get a warning in the log stating "No Subject DN Certificate Constraints were defined." I don't think this is an issue so much, but it does make me wonder if there is a way to set cert constraints for non-signing certificates?
Stephen W. Chappell
