Trust Store Configuration
Have a look at this example for a certificate chain used to identify an SSL/TLS server: At least one of the certificates MUST be present in your trust store. It is your choice which one it should be. If you put the "SSL certificate" for the called server into the trust store, you can only connect to specific servers matching that certificate. If you use "Intermediate CA 2", then any server with a certificate that has been signed by "Intermediate CA 2" is allowed. If you use "Root CA", then all servers that can show a certificate chain from the "Root CA" to their "SSL certificate" are allowed.
So, from the security point of view, it seems like using the "SSL certificate" would be the most secure option. However, there are two important drawbacks:
- This is not very flexible. If you change servers and end up needing a new "SSL certificate", this means that an app update is required.
- The further down you get in this image, the faster the certificate typically expires and when the certificate is expired, you again need to update the app to allow the new certificate.
So, in sum, you need to balance your desire for security with your need for flexibility and with the update frequency.
⚠️ Note: In case of a server or CA transition or when a certificate is known to expire soon and the new certificate is already available in advance, multiple server or CA certificates might be present in the trust store, so they can be used in parallel. E.g. you could put both "Intermediate CA 2" and "Renewed Intermediate CA 2" into the trust store and you will be allowed to connect to any server with a certificate created by one of the CAs.
** Note**: Previously, we recommended another strategy for configuring the trust store. For the time being the old strategy will continue to work but it is deprecated and should not be used any more.
In practice, certificates missing in the trust store (e.g. due to server certificates changing over time) turned out to be a common issue. See the section common issues for some suggestions on how to deal with these problems when they occur.