I realize the number of question about SSL certificates is legion, but after much searching I couldn't find a precise answer to the following confusion.
For one-way SSL, under what circumstances does the consumer of an HTTPS web service need to import the provider of said web service's certificate/public key? I've consumed a few web services over https before and never had to add the other company's certificate or public key to the key store (or is it trust store?) of any device at my company.
And yet apparently sometimes that is the case, as evidenced by these examples:
certificate mechanism between webservice provider and consumer
Consuming RESTful service over https with certificate using Java
Is it only necessary when the provider of the service's certificate is not issued by a CA known to the consumer?
Also, if the consumer does end up having to import the provider's certificate, AND it's the case that the consumer's consuming app itself consists of a client part and a server part, does the consumer import it into the store of the consumer's web server or into the store of each and every client computer at the consumer's company?
Finally, for two-way SSL, does the consumer send his own client certificate with code that executes on his (possibly many) client computers or on his own web server?
Thanks for any clarification.
Is it only necessary when the provider of the service's certificate is not issued by a CA known to the consumer?
yes. When relying party uses certificates from a globally trusted CA, there are no extra actions required to install foreign certificates.
into the store of each and every client computer at the consumer's company?
if issuer is not globally trusted, it must be installed on every device that consumes service with custom certificate.
does the consumer send his own client certificate with code that executes on his (possibly many) client computers or on his own web server?
it's unclear what do you mean. Can you elaborate?
update:
It depends on how 3rd party server authenticates you. Are they ok to identify your app as whole or they require to distinguish every internal user. In first case, it is enough to have single client certificate within your app and you will have two separate TLS connections:
3rd party server <--TLS--> Your App <--TLS--> End user (many)
End users connect and authenticate only on your application. When necessary, your app establishes a separate TLS connection to 3rd party and work is done. It is quite common practice. End users are not aware of 3rd party server and 3rd party server is not aware about your internal users (and probably should not be).