According to TLS connection definition, for example, as the client-side, I use keystore to store my private key and certificate, and use truststore to store some kinds of certs. On the server-side, that call it Youtube, it has a root certificate called Youtube.pem which is signed by Google.crt CA.
I know the truststore is to verify the 3rd party certificate during handshake
My question is what should my truststore actually store during handshake?
Youtube.pem (the CA signed certificate sent from 3rd part)
Google.crt (the CA certificate)
According to TLS connection definition, for example, as the client-side, I use keystore to store my private key and certificate, and use truststore to store some kinds of certs.
Yes, but you only need a keystore if you want to use client side authentication. Note that "keystore" and "truststore" indicate how the store is used, they can be of the same type (e.g. PKCS#12) and even the same file.
On the server-side, that call it Youtube, it has a root certificate called Youtube.pem which is signed by Google.crt CA.
No, YouTube is a service, it has a leaf or end-entity certificate. The root certificate is that of a third party CA. The end-entity certificate is usually signed by an intermediate CA certificate, and that is in turn signed by a self signed root certificate.
I know the truststore is to verify the 3rd party certificate during handshake
It is used to validate and verify the trust path from leaf certificate to a trust anchor in your truststore. The trust anchor is usually one of the root certificates stored in your truststore. The leaf certificate is indicated by the end entity / server, the intermediate certificates are usually sent by the server as well, but they could also be retrieved from a cache.
In the case of YouTube, the Google root CA is used, possibly using the GlobalSign root through a linked certificate if the Google root is not present in the trust store.
So your truststore should either contain the Google root certificate or the GlobalSign root for the connection to work in this example.
I have successfully installed the SSL and I also installed the Trusted Root Certification in the the Trusted Root Certifications Store.
Yet it is still saying to install it in the trusted root store.
https://www.k-9styles.com/
I am using a Rapid SSL RSA SSL
I have trust store which contains Symantec. I am trying to connect to server which is signed by VeriSign. I am getting ssl "No trusted certificate was found” during the handshake. Can it be because I don't have VeriSign CA in trust store?
I am using Axis framework with SSLConnectionSocketFactory. With openssl I see the VeriSign certificate chain on the server
My problem solved after adding the VeriSign CA to trust store.
I have an MVC 3 application running on IIS 7 that associates users to their client certificates during registration.
I am currently using an ECA certificate issued by ORC to login to this application locally.
I need to create self signed certificates that I can use to create new users in this application and assign to the self signed certificates.
I have created a self signed Certificate Authority Certificate. I used that certificate to sign a server and client certificate. The Certificate Authority is installed in the Trusted Root Certification Authorities of the Computer Account on the machine I'm using. The Client Certificate is installed in the Personal Store of my account.
With the above configuration, my browsers will only prompt me for the certificate issued by ORC, and not my self-signed certificate. How can I get the browser to prompt me for the self-signed certificate so that all communication with the server will use my self-signed certificate instead of the ORC issued ECA certificate?
I am currently developping a Windows 8 metro app. This app will not be available in the Martketplace but will be distributed by sideloading.
For this it is necessary to sign the app with a certificate and import the same certificate on the client machine.
I never made such a certificate? How should I proceed?
I also read the publisher name of the app should be the same as the publisher name in the certificate...
Who knows how to make such a certificate? A commercial certificate from for example Verisign is currently not an option.
If a commercial (payed for) certificate is not an option there are three other ways to get a certificate:
1) If your company has an own root certificate (trusted by a public Certificate Authority like VeriSign) you (or an admin) can derive a software signing certificate from that.
2) Your company could setup an own certificate server to issue own certificates. If the certificates are only used inside the company and the root certificate is trusted (imported in the certificate store for trusted root authorities) on all machines you could use a software signing certificate derived from the root certificate. See http://www.esecurityplanet.com/network-security/how-to-run-your-own-certificate-authority.html.
3) You could use a self signed test certificate that is not derived from a root certificate. Use makecert to create one (see How do I create a self-signed certificate for code signing on Windows?). When installing the App the user will be asked if he trusts this certificate that has no known publisher.