> thanks for the response. > > I just need the certificate to securely identify that a request is > coming from who I think it is coming.
Then you need some way to distribute a certificate to that endpoint and for the other end to know what certificate that endpoint has. > My goal is that I can indistinctively use http or https while testing. > I just want to set up my application server, Tomcat, so that requests > can be received using https. > I know that I have to upload the public certificate into the other party > (to whom I am talking to). > > I do not expect to modify the application code because of https. Am I > right? If you don't modify the application code, then what will make sure that the request is coming from who you think it is coming from? Some code will need to perform that check. > Regarding just using the certificate in the fashion mentioned above, > will I need to include some license in some > file or product brochure? There's no way to answer that question without knowing how you plan your authentication to work. > The only case where I see mentioning the certificate authority would be > in a System Diagnostics option, where > we display the environment variables, so maybe we would want to display > some info about who issued the certificate, when using one. When you say "securely identify that a request is coming from who I think it is coming", what *EXACTLY* do you mean? For example, you could mean: 1) I need to identify the actual human being who sent the request so I can hold them responsible for it. or 2) I need to identify that the request is coming from the same entity that some other request came from, and I'll authenticate that request by user/password. or 3) I need to know that the request is coming from someone authorized to send such requests, and the person who authorizes such requests will do so by issuing a certificate. It all depends on exactly what you're trying to do, what your threat model is, and so on. You probably won't get useful advice on a mailing list unless you go into much more detail. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
