Let’s assume we have the following CA hierarchy:
- ACME Inc. Root CA
- ACME Inc. Sub CA 1
- ACME Leaf Certificate 1
- ACME Inc. Sub CA 2
- ACME Leaf Certificate 2
- ACME Inc. Sub CA 1
Now, we have a .p12 file as a "truststore" with the following CA certificates inside:
- ACME Inc. Root CA
- ACME Inc. Sub CA 1
Assuming we have a typical Java server application which uses mTLS to secure connections, which of the above Leaf Certificates would be allowed to connect?
Meaning:
- Would Leaf Certificate 2 be able to connect, even though the Sub CA 2 certificate is not in the trust store, but the Root CA is?
- Why would I then even include the Sub CA 1 certificate in this trust store?
- If I include Leaf Certificate 1 directly in the said truststore, does this mean that ONLY Leaf Certificate 1 is able to connect?
- If I’d include Leaf Certificate 1 directly in the said truststore, would it then be accepted even if it’s expired?
You need to sign in to view this answers