April 19, 2008 - 17:16 EDT - Tags: WSS4J Web Services WSE X509 security Axis .NET
Some of you may have read my earlier post Making a WSS4J client talk to a WSE 3.0 secured web service with x509 certificates
. In the original post I used the interop certificates that are issued with WSS4J. In this post I'll explain how you can create your own certificates.Software
Creating the certificate
- wss4j 1.5.3
- WSE 3.0
- keytool - included with the java sdk in the bin foler
Open the request a new certificate web site, and request and advanced certificate. Remember to check "Mark keys as exportable" and I also recommend checking "Store certificate in the local computer certificate store".
Go to the servers adminitrative tools and issue the certificate from the certification authority. Next redirect you browser back to the certification request page and download the issued certificate.
Repeat the process for each web service client or server.Exporting the certificate
Open mmc.exe from Start\Run... and add the certificates snap-in for "local computer". Export the certificate both with and without private key. When exporting with private key, check "Include all certificates..." and uncheck "Enable strong protection". You should now have a .pfx file and a .cer file for you server, and a .pfx and .cer for each client.Creating a java keystore for a client
Start by converting the client .pfx to a .jks by running:
java -classpath d:/projects/java/axisUMT/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import client1.pfx my.jks
Next we want to create a nice alias for our key. In the result form the previous command, you see the current alias. To create a new one, run:
keytool -keyclone -keystore my.jks -alias <long alias from previous command> -dest <easier to remember alias>
Now we import the web service server certificate. We do this by running:
keytool -import -keystore my.jks -alias <nice alias> -file <.cer file for web service certificate>
And that's it!
Chris Barber for Converting PFX Certificates to Java Keystores