Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I need to trust a client certificate on my tomcat, I have added both the root (verisign) and customers domain certificate to the server truststore and it works fine and accepts the client connection.
Now the question is, does adding the root verisign cert to the truststore accept anything signed by that verisign cert? Or would that only be the case if I added it to the cacerts? Is it safe to leave it in the truststore?
I am using tomcat 6 and java 1.6 on linux
Thanks
Yes it does. Your application still needs to perform an authorization step, based on the roles that are allocated to the user identified by the certificate. You shouldn’t attempt to do that with the truststore and certificate alone, that’s not the purpose of the mechanism. It is there for authentication. You are talking about authorization.
NB You are using your local truststore instead of the JRE’s cacerts file.