• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Root CA Certificate Or Single Certificate

 
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am developing an application that will use JSSE to make an HTTPS call from a client. The server hosting the web page that I will call via HTTPS has a valid certificate signed by Entrust.

On the client, the cacerts file doesn't have Entrust listed, so I know I have to import something into this file.

The question is...which certificate should I import into the cacerts file...the certificate from the server, or the certificate from Entrust for the root CA.

I would think that if I import the certificate off the server, this would come with an expiration date, whereas the root CA's certificate would not expire (or expire much later).

Any feedback would be appreciated.
 
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you "trust" the Entrust certificate, then import it rather than the server certificate.
 
Rancher
Posts: 4803
7
Mac OS X VI Editor Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a more fundamental question first:

If you are controlling the server and writing the client program, why do you care about CA? Why not just invent your own cert and sign it yourself using free tools like OpenSSL?

The security is not improved by using a commercial CA. What they provide is a way for consumers using browsers to have some level of trust that the site is real. If there is no user eyeball, why does it make any difference?

Not knowing which cert product you or your boss bought, its hard to say, but a lot of SSL certs on the market simply certify that someone paid for the cert, there is no real 'certifciation" going on.

Pat
 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your responses.

If you are controlling the server and writing the client program, why do you care about CA? Why not just invent your own cert and sign it yourself using free tools like OpenSSL?



I don't control the server...I just call it from my program. And they already have a certificate signed by Entrust, and are paying for it...so that's what certificate I'm going to have to use.
 
reply
    Bookmark Topic Watch Topic
  • New Topic