Customizing Usage of the Trusted Certificates Directory
Most of the time you will want to specify a trusted certificates directory; however, there may be times when you do not want to. For example, you might want to trust all certificate authorities on outbound requests and trust specific CAs on different ports for incoming requests. For outbound requests (a certificate the server receives from a server that it submits a request to), if you do not specify a directory, or specify a directory that does not contain certificates for CAs, by default, the server trusts all certificate authorities. The server configuration property that controls this behavior (watt.security.cert.wmChainVerifier.trustByDefault) is set to True by default. If this property is set to False and no directory or an empty directory is specified, the server will trust no certificates for outbound requests.
For inbound requests, you can specify a trusted certificates directory at the server level (on the Security Certificates screen) or at the port level (on the Edit HTTPS Port Configuration screen or the Edit FTPS Port Configuration screen). If you omit a trusted authorities directory (or specify a directory that does not contain CA certificates) from both the server level and the port level, the server will trust no certificate authorities. If you specify a trusted authorities directory at the server level and at the port level, the server uses the directory specified at the port level for determining trust on connections being made to that port. If you specify a trusted authorities directory at just the port level, the server uses the port-level setting for requests being made to the port.
For S/MIME signature trust validation, if you do not specify a trusted certificates directory or specify a directory that does not contain the certificates of trusted CAs, by default the server trusts all signatures on S/MIME messages. However, if watt.security.cert.wmChainVerifier.trustByDefault is set to False and no directory or an empty directory is specified, the server will trust no signatures on S/MIME messages.