Should server certificates be added to the trust store for the client to receive the response from the server securely?

Question

Requirment: Need to write a web service client to interact with server using the SSL encryption.

Provided: provided with the key store file and the server cert.

Coding: Have written a java code, forming the soap request.For adding(signing the soap) the encryption data, used the key store to get the public key using the certificates and encrypted with digital signature algorithm.

Assumption In steps:

1. signing the soap message using the key store and sending to the server.
2. trust store(with certificates) by Certified authority validates the request and process the request.
3. signing the response with the same key store(used by the client) in the server side to send to the client.
4. client receives the response and validates using the trust store(with certificates) by Certified authority in the /JAVA_HOME/jre/lib/security/cacerts.

In this case, do we need to import the server.cert file from the requirement to the /JAVA_HOME/jre/lib/security/cacerts.?

from which the response is validated?

Please correct me if i am wrong at any step.

Answer 1

If your server and client already trusts Certificate Authority(CA) that signing your certificates, then you dont have to import your server/client certificates to each others trust stores. It should work normally because your signed CA is already trusted by client and Server.

If CA is not trusted by client/server, then there are two ways to solve this: 1) import CA certificate to client/server trust stores, so that any certificate signed by this CA are trusted by both client/server.

2) OR import server.cert to client trust store(in your case /JAVA_HOME/jre/lib/security/cacerts) and client.cert to sever trust store for 2-way validation.