We are developing SOAP based webservices and finalized to secure them using SSL certificates. I have gone through some of the tutorials on SSL Certificates. Below are my doubts regarding this:
1. If we have 5 SOAP webservice consumer and 1 producer, then how many certificates we need to use? All the consumers will be having the same certificate or all of them will use their unique certificate?
2. What is the difference between Key Store and Trust Store? Where should we install the certificates?
3. There are certificates with different extensions such as pem, p12, cert, etc. What is the difference between these? Which one is the best to use?
Certificates are used to determine if the sender of a message really is who they say they are.
Typically it's not necessary for a web service to trust a client, because clients need to authenticate themselves before they can do anything. That means you need one certificate for the web service, and the clients decide whether they trust that web service based on the certificate.
Let's look at that using a silly analogue: William's place is an exclusive members-only club. Christine is looking to spend some of her money there, so she becomes a member and receives a password. When she shows up at the address, the place looks a bit shady, and she doesn't really trust it. When the doorman asks her for her password, she first asks him if this is the right place. He gives her a piece of paper that says the place is the real deal, and at the bottom is the signature of Albert, the owner of Members Only Weekly. Christina recognizes the signature because she's an avid reader, so she decides to trust it. She gives the doorman her password, and he lets her in.
Here, William's is the web service, Christine is the client, and Albert is the certificate authority. Christine trusts William because he has a certificate issued by Albert, and Christine trusts Albert. William trusts Christine, because she has a password to his place.
Christine stores the password on a card in her purse, as well as the keys to her home. This is her KeyStore. She stores the certificate the doorman gave to her with her collection of Members Only Weekly. This is her TrustStore.
After she gets to know William, he recommends another nice place to her, and when she shows up, the doorman there gives her a certificate signed by William. She trusts that place, because she trusts William, because she trusts Albert. This is called a certificate chain.
Stephan van Hulst wrote:Typically it's not necessary for a web service to trust a client, because clients need to authenticate themselves before they can do anything. That means you need one certificate for the web service, and the clients decide whether they trust that web service based on the certificate.
Not necessarily. It's also possible to use the client certificate for authentication. In that case, the client certificates acts like the username/password combination. It's one of the four supported authentication methods in servlets - it's the CLIENT-CERT in BASIC, DIGEST, FORM and CLIENT-CERT.
However, this requires quite a lot more to setup, so I'd only use a server certificate, have all clients use the same certificate and have the clients authenticate themselves in a different way. If you register the certificate at a proper certificate authority (CA) you don't even need to use a trust manager or key manager, it should just work out-of-the-box.