Grouper Developers Forum

[Tom Scavo <>]

On Thu, Jan 22, 2009 at 10:10 AM, Chris Hyzer 
<>
 wrote:
>
> https://bugs.internet2.edu/jira/browse/GRP-205
>
> My own two cents is that if you can get a valid certificate from a CA in the
> JRE, then  you can save yourself money in the long run…  I have used comodo
> certs (e.g. positive SSL is $50) and had good luck.  I have also used
> godaddy certs ($30), and Im not sure I have connected from Java, I haven't
> had browser issues.  Also, don't shy away from getting a long term one so
> you don't have to keep updating it every year.  We use a wildcard comodo
> cert so we buy one and use it everywhere (must be the same level in the
> domain name hierarchy).

Here's my two cents worth:

1 cent) Try to avoid self-signed certs (which is not the same as
saying the cert must be a trusted cert from a commercial CA).

2 cent) Have you considered implementing a trusted CA cert store on the 
client?

Actually, given your recommendation above, it seems that a trust store
already exists on the client, so why can't you just add the CA cert
that signed the (untrusted) server cert to the trust store and be done
with it?  Why is it necessary for the server cert to be a trusted
commercial cert?  I must be missing something.

Tom