Grouper Developers Forum

[Chris Hyzer <>]

>
> Here's my two cents worth:
>
> 1 cent) Try to avoid self-signed certs (which is not the same as
> saying the cert must be a trusted cert from a commercial CA).
>
> 2 cent) Have you considered implementing a trusted CA cert store on the
> client?

There is one in java, in our last call, we decided that users can either add 
it to their JRE, or turn off verification in grouper client

>
> Actually, given your recommendation above, it seems that a trust store
> already exists on the client, so why can't you just add the CA cert
> that signed the (untrusted) server cert to the trust store and be done
> with it?  Why is it necessary for the server cert to be a trusted
> commercial cert?  I must be missing something.

I personally feel that the time/money saved from having to worry about self 
signed or untrusted certs is greater than the time/money it takes to get a 
trusted cert.  Maybe its just me...  :) However, Im sure various schools are 
setup differently and might take less effort to add their own CA cert into 
their trust stores everywhere...

Regards,
Chris