aspose file tools*
The moose likes Security and the fly likes Root CA Certificate Or Single Certificate Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Root CA Certificate Or Single Certificate" Watch "Root CA Certificate Or Single Certificate" New topic
Author

Root CA Certificate Or Single Certificate

James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
I am developing an application that will use JSSE to make an HTTPS call from a client. The server hosting the web page that I will call via HTTPS has a valid certificate signed by Entrust.

On the client, the cacerts file doesn't have Entrust listed, so I know I have to import something into this file.

The question is...which certificate should I import into the cacerts file...the certificate from the server, or the certificate from Entrust for the root CA.

I would think that if I import the certificate off the server, this would come with an expiration date, whereas the root CA's certificate would not expire (or expire much later).

Any feedback would be appreciated.
greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
If you "trust" the Entrust certificate, then import it rather than the server certificate.


Nice to meet you.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4659
    
    5

I have a more fundamental question first:

If you are controlling the server and writing the client program, why do you care about CA? Why not just invent your own cert and sign it yourself using free tools like OpenSSL?

The security is not improved by using a commercial CA. What they provide is a way for consumers using browsers to have some level of trust that the site is real. If there is no user eyeball, why does it make any difference?

Not knowing which cert product you or your boss bought, its hard to say, but a lot of SSL certs on the market simply certify that someone paid for the cert, there is no real 'certifciation" going on.

Pat
James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
Thanks for your responses.

If you are controlling the server and writing the client program, why do you care about CA? Why not just invent your own cert and sign it yourself using free tools like OpenSSL?


I don't control the server...I just call it from my program. And they already have a certificate signed by Entrust, and are paying for it...so that's what certificate I'm going to have to use.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Root CA Certificate Or Single Certificate