Configure for the certificate authority list

When a client accesses a server with a certificate, the server sends back its certificate. The client needs to check to see if that certificate is trusted. This is done using a certificate authority list.

  1. Create the client's certificate authority list.
    1. Save the certificate of the HTTPS server to disk. Type the server's URL in your Internet browser. When prompted, save the certificate to disk.
    2. Create the client's Certificate Authority List from the certificate that you saved to disk.

      $ openssl x509 -in ServerCertificate.crt -text >> ClientCAList.pem

      Note: All trusted certificate authorities are listed. All other certificates that were trusted by the Root Certificate Authority will also be considered as trusted by the client.
  2. Set the global certificate authority list in fglprofile.
    The global certificate authority list entry defines the file containing the certificate authority list used by the Genero Web Services client to validate all certificates coming from the different servers it will connect to.

    security.global.ca = "ClientCAList.pem"

    If security.global.ca is not defined, Genero Web Services will look to see whether the operating system has a keystore, otherwise security.global.ca.lookuppath will be used.
The client application is configured to use the appropriate certificate authority list to validate a server's certificate.