My apologies if this is the wrong place for this question, as it's not strictly a CXF issue, but I'm hoping someone might be able to kick me in the right direction ...
In my architecture, the STS I am building will need to check certificate revocation against one of a set of OCSP responders. Revocation checking works well using the standard Java configuration, that is not an issue. What is an issue though is that we are using a hierarchical OCSP architecture, with multiple OCSP signers, each with their own certificate. So when checking the status of a cert against a responder, depending on the health of everything in the system, the revocation response could be signed with any one of those OCSP signing certs.
With a single signing cert, I can add that cert to the CXF STS's truststore, and revocation checking works perfectly. I had thought that if I added additional signing certs to the trust store, Java would just match the cert in the OCSP response against any of the certs in the truststore, but instead it looks like Java just gets confused and randomly picks one to match against - it may not be random, but it's not consistent as I'll sometimes get "Unable to verify OCSP Responder's signature" errors kicked out, and sometimes get the proper status.
Again, my apologies if this question is misdirected. Any help would be greatly appreciated.
Stephen W. Chappell
In my architecture, the STS I am building will need to check certificate revocation against one of a set of OCSP responders. Revocation checking works well using the standard Java configuration, that is not an issue. What is an issue though is that we are using a hierarchical OCSP architecture, with multiple OCSP signers, each with their own certificate. So when checking the status of a cert against a responder, depending on the health of everything in the system, the revocation response could be signed with any one of those OCSP signing certs.
With a single signing cert, I can add that cert to the CXF STS's truststore, and revocation checking works perfectly. I had thought that if I added additional signing certs to the trust store, Java would just match the cert in the OCSP response against any of the certs in the truststore, but instead it looks like Java just gets confused and randomly picks one to match against - it may not be random, but it's not consistent as I'll sometimes get "Unable to verify OCSP Responder's signature" errors kicked out, and sometimes get the proper status.
Again, my apologies if this question is misdirected. Any help would be greatly appreciated.
Stephen W. Chappell