I have a J2EE application that makes requests to Salesforce, Docusign, and LexisNexis. To make these requests, I first add the intermediate certificates for each of these sites into my server's trust store. Recently I've considered removing the intermediate certificates from my trust store and adding the root certificates for these sites instead (e.g. instead of importing salesforce.com cert, using digicertglobalrootca cert instead since it is the root of salesforce.com certificate chain).
Is there a best practice for whether to store intermediate certificates or root certificates?
Some of the considerations I've weighed:
- When storing intermediate certificates, there are far more to manage. If I store only root certificates, one root can cover many of the sites my application talks to (e.g. digicert root cert covers Salesforce as well as Docusign and other sites)
- Root certs have much longer expirations than intermediate certs (intermediate certs may expire in <365 days, roots expire in 5-15 years)
- If relying on root certs, if these certs are suddenly re-issued (potentially due to cyber attack on the root issuing organization), many functions/applications within my organization will cease to function at the same time because they all rely on that root cert, whereas relying on intermediate certs would lead to only one application being down at a time due to re-issuance of a cert
- Relying on intermediate certs may be better at protecting against SQL-injection or XSS. If code was injected into my application(s), it still may not be able to make requests to malicious sites because we don't have the malicious site's certificate. Whereas if we use many of the common root certs, we may be exposed to this risk