Reputation: 863
Java, Certificates in trustStores
I have a root ca, A that issues an intermediate cert B that in turn issues a specific cert C
A -> B -> C
I start up a server which has these certs in it's p12 as the keychain
If I then have a java client which has all three certs in its trustStore it can access the cert over https successfully.
If cert C expires but I still have A & B in the trustStore, HTTPs is still successful.
If I remove A & C from the trustStore and just have B HTTPs is still successful.
My question is, if I only have A in the trustStore, the original Root CA, will HTTPs access still be successful?
Thanks, Mark.
Upvotes: 0
Views: 679
Answers (1)
Reputation: 21
Yes. Just adding the root certificate to your client trust store suffice to create the HTTPs successful connection. During the handshake, the certificate is validated from bottom-up way. It means that your Intermediate certificate must be signed by the root CA, and your leaf certificate must be signed by your intermediate CA. As long as your root CA is valid and present in your client's trust store, the connection will be successful.
Upvotes: 1
Related Questions
- SSL and cert keystore
- java ssl connection using truststore
- Java and SSL certificates
- Certificate unknown error -- Is trustStore used by Java
- Adding certificate to Java truststore and Sslhandshake
- Java HttpClient trusted certificates
- Java client certificates and keystores
- How can I access java trust store certs
- java trust store
- Java SSL Truststore settings