I’'m not sure if you are asking 1 or 2 questions here so I will try to give as much info as possible.
How does it work with self-signed certificate?
Then how do client like psi will report about the
I have made self-signed certificate and I have been
through the process of making psi not to complain the
certificate. I want to know how it might affect my
setting. But it sure is a nice feature.
Server certificates are kept in resources\security\keystore. Certificates can be signed by a publicly known Certificate Authority (CA) or just be self-signed. Usually self-signed certificates are not meant to be used in production environments since the identity of the server cannot be really trusted. However, self-signed certificates as well as certificates signed by a CA can both be used to encrypt/secure a connection (i.e. for TLS/SSL).
Server certificates are used in 2 cases: 1) When a client connects to the server the client will validate the server certificate to confirm the identity of the server and 2) When a remote server connects to your server the remote server will also need to verify the server identity by checking the server certificates. Case #2 only happens between servers that support TLS for s2s.
In case #1 that is the case that you are asking it’'s up to the client to decide if he is going to accept a self-signed server certificate. If the client accepts the self-signed certificate then the connection will be secured and things will flow without any problem. However, if the client does not accept self-signed certificates then the connection will not be secured. The client can always try to connect using an unsecured connection and if the server allows unsecured connections then things will be fine.
If you are asking how are we going to deal with certificate signing in JM-492 then the answer will be that the admin console will need to not only generate certificates but also export and import them. So once a CA has signed a certificate you should be able to import it. That’'s why the security page is now showing if the certificate is self-signed as a way to indicate if the signed certificate has been imported or not.
Let me know if you need more info or have any other questions.