Replies: 1 comment
-
This is a very good point to discuss. If trusting of the intermediate CA is not suitable, you need to provide the full certificate path in the trust store, because otherwise the application has no way to verify if the intermediate certificate is trustworthy or not. That's why phase4 differentiates between keystore and truststore. The keystore only contains the private key (eventually with the full chain), whereas the truststore contains only the public parts of all trusted certificates but no secrets. That's why it is not problematic (from my point of view), that a trust store contains trusted root certificates, because keystores and truststores need to be assessed differently from a security point of view. Hope that makes some sense ;-) |
Beta Was this translation helpful? Give feedback.
-
Dear @phax,
I encountered a problem while using AS4IncomingHandler._parseMessage().
I used pull mode to request a message from customer, the soap format as follows:
it was signed with a certificate chain(From BinarySecurityToken), when I use the method(AS4IncomingHandler._parseMessage) to parse the result, it encountered an exception:
This error indicates that I did not add the public key to the trust key repository, but in fact, I have added the certificate at the bottom of the certificate chain to the trust key repository. The problem was only resolved after I added the root certificate to the trust key repository.
In my understanding, when a certificate chain appears, we usually use the lowest level certificate as the object we use, like signature and encryption.And the root certificates are often not compliant with security standards because their validity period is relatively long and they are easily hacked.
Is it better to replace the verification of the certificate chain with the lowest level certificate verification?
Beta Was this translation helpful? Give feedback.
All reactions