Including the sender's certificate in the signed message

When messages are digitally signed, the recipient must have the sender's certificate chain in order to check the signature. Typically, the chain has two certificates: that of the sender and that of the sender's certificate authority (CA).

There are two common ways of getting the certificates to the service.

1. Install the CA's certificate in the service configuration. Send the caller's individual certificate with the signed message. This is called "direct reference", since the signature mark-up in the SOAP header refers directly to an included credential.
2. Install both the CA certificate and the caller's individual certificate in the service configuration. Send the CA's name and the serial number of the caller's certificate in the SOAP message; have the service retrieve its copy of the certificate using these metadata. This is called the "issuer-serial" method.

The issuer-serial method presumes that all trusted users of the service are known to the service and have pre-registered their certificate chains before using the service. The direct-reference method presumes that the service operator trusts all users with certificates issued by a trusted CA.

To use the direct-reference method when using WSDoAllSender to sign the messages, the client must set a handler property as follows.

stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference");

To use the issuer-serial method, the property should be set like this:

stub._setProperty(WSHandlerConstants.SIG_KEY_ID, "IssuerSerial");

If the property is not set, the default in WSS4J is to use the issuer-serial method.