I would like to upload the Root and Intermediate signer certs for just the Certificate Authorities that we trust into the sharedcert folder.
Then in each application domain that needs to reference these signer certs, create Crypto Certificate objects mapped to the corresponding certificate file in the sharedcert folder.
If a SSL Client Profile's ValCred object needed the Root Cert for a particular CA, just use that domain's Crytpo Cert object that represents that Root Cert.
If a SSL Server Profile's IDCred needed the Intermediate Cert for the CA that signed the cert that DataPower is presenting, just use that domain's Crytpo Cert object that represents that Intermediate.
I like this design compared to what I see now which is the same signer certs uploaded all over the place with multiple Crypto Cert objects in each domain all for the same thing.
Is this design sound from a security perspective?
Is this design sound from a certificate management perspective?
Does it scale? If hundreds of DataPower services on the same appliance across many different domains are all mapped to the same file in sharedcert will it work when thousands of connections per minute are being established, many of them needing to reference that one file?