Trusted Certificates
Certificates are typically issued by a trusted third party, such as a certificate authority. There are several commercial certificate authorities, such as Bouncy Castle or VeriSign.
Both clients and servers can also store a list of trusted certificates. When a connection is requested, each party presents their certificate and that certificate is checked against the list of trusted certificates. If the certificate is not found, the connection is refused. Checking trusted certificates allows clients to ensure that they are connecting to the correct server. For servers, trusted certificates are used to ensure only the authorized clients can connect to the server.
Checking a certificate involves checking the certificate of the party that signed the certificate. There can be a hierarchy of intermediate certificates, also known as a certificate chain, that must be checked up to the root certificate to ensure that a certificate is authentic. ActiveMatrix BusinessWorks requires that all intermediate certificates are stored in the trusted certificate location so that certificates can be properly verified.
The following figure illustrates a certificate chain. In this chain, Alice has a certificate signed by the OASIS Interop Test CA (the Issuer DN in the certificate). To verify Alice’s identity, the issuer of Alice’s certificate must be checked. The OASIS Interop Test CA certificate was issued by OASIS Interop Test Root. You can see that the OASIS Interop Test Root certificate is a self-signed root certificate because the Issuer DN is the same as the Subject DN in the certificate.
An example of a certificate chain
You can use a variety of methods and external tools to obtain certificates for your trusted certificate list or creating self-signed root certificates. For example, OpenSSL at www.openssl.org provides a toolkit for working with certificates and SSL. Portecle at http://portecle.sourceforge.net/ provides a GUI tool for managing certificates.
ActiveMatrix BusinessWorks can import and store certificates in Privacy-enhanced Electronic Mail (PEM) format in a folder within the project. You can also store trusted certificates outside of your project and use a global variable to point to the certificate storage location. The following sections describe each method of storing trusted certificates.