When the client makes a connection request, the server presents its certificate for the client to accept or deny. The client checks the issuer of the certificate against a list of trusted Certificate Authorities (CAs) whose root certificates reside in one of the following stores on the client:
• For Windows operating systems: A permanent storage known as Windows certificate store.
• For both Windows and non-Windows operating systems: An encrypted file known as truststore file. It can either be in PKCS #12 format or a comma-separated list of root certificates issued by valid Certificate Authorities (CAs).
If the server certificate is issued by a trusted CA, whose root certificates reside in either the Windows certificate store or a truststore file, an encrypted connection is established between the client and server. If the certificate does not match, the connection fails and the client generates an error.
To verify the server certificate against the root certificates available in the Windows certificate store, set the Truststore connection string attribute to system (Truststore=system). Note that the client looks for the required root certificate at the following location in the Windows certificate store: Current User\Trusted Root Certification Authorities\Certificates.
To verify the server certificate against the root certificates available in a truststore file, set the Truststore connection string attribute to specify the path of the truststore file and set the TruststorePassword connection string attribute to specify the password required to unlock the truststore file.
Alternatively, you can configure the client to trust any certificate sent by the server, even if the issuer is not a trusted CA. Allowing a client to trust any certificate sent from the server is useful in test environments because it eliminates the need to specify truststore information on each client in the test environment. ValidateServerCertificate, another connection string attribute, allows the client to accept any certificate returned from the server regardless of whether the issuer of the certificate is a trusted CA.
Finally, the connection string attribute, HostNameInCertificate, allows an additional method of server verification. When a value is specified for HostNameInCertificate, it must match the host name of the server, which has been established by the SSL administrator. This prevents malicious intervention between the client and the server and ensures that the client is connecting to the server that was requested.