Hi, we're considering using the FUSE Message Broker with SSL-encrypted traffic.

Our client applications are Java 5 Web Start applications, that currently communicate with our broker over tcp/ip.

Our goal is simple distribution of client applications to the end users, and avoid "man in the middle attack" by not issuing/generating our own certificate.

The WebStart-applications are distributed from - and the JMS-servers are running on - a selection of sub-domains (xxx.xyz.com, yyy.xyz.com, etc).

We do not want the users to install certificates in their own keystore, we expect this to be solved by using certificates from a trusted issuer like VeriSign.

We do not need to verify client certificates.

(We have successfully tested ssl encryption with self generated certificate following the guide from http://activemq.apache.org/how-do-i-use-ssl.html.)

1. What kind of certificate(s) do we need for this (the code signing of the Web Start apps and the SSL-encryption)? ? Do we need more than one?

2. Will using keytool import of the certificate into the broker keystore be sufficient (without installing it into the client?s trust store?)

Kind regards,

Stian