1
votes

I need to trust a client certificate on my tomcat, I have added both the root (verisign) and customers domain certificate to the server truststore and it works fine and accepts the client connection.

Now the question is, does adding the root verisign cert to the truststore accept anything signed by that verisign cert? Or would that only be the case if I added it to the cacerts? Is it safe to leave it in the truststore?

I am using tomcat 6 and java 1.6 on linux

Thanks

1
Java Security By Scott Oaks tells me that I must have the root certificate of the CA in the truststore also so I will keep that in. - kontiki

1 Answers

1
votes

does adding the root verisign cert to the truststore accept anything signed by that verisign cert?

Yes it does. Your application still needs to perform an authorization step, based on the roles that are allocated to the user identified by the certificate. You shouldn't attempt to do that with the truststore and certificate alone, that's not the purpose of the mechanism. It is there for authentication. You are talking about authorization.

NB You are using your local truststore instead of the JRE's cacerts file.