Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Generate a key pair for the server/service. 

$ keytool -genkey -alias client -keyalg RSA -keystore ./Client.jks

alias = name of the keystore alias, for example, client 
keystore = name of the keystore, for example, Client.jks
When prompted for first and last name the hostname where the certificate is valid should be entered other values can be anything, for example localhost.

Generate a Certificate Signing Request (CSR) so that we can get server's certificate get signed by a CA.

keytool -certreq -alias client -keystore ClientKeyStore.jks -file Client.csr

Get the certificate signed by our the CA, Test CA in these example. See this page on how to set up a CA.

$ openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in Client.csr -out Client.cer -days 365

CA, CAkey and CAserial are files generated when setting up the CA.

Import the Test CA's root self signed certificate in server key store as a trusted certificate.

$ keytool -import -alias TestCA -file caroot.cer -keystore Client.jks

Import server's certificate signed by Test CA in server key store with the same alias name that was used to generate the key pair during genkey.

$ keytool -import -alias client -file Client.cer -keystore Client.jks

We also need to import server's public key in the client key store, because Client is the first one who need initiate a conversation with server or the service. And it needs to encrypt the request massage (some part of it) using sever's public key. Server does not need client's public in its keystore if BinarySecurityToken is used, server is going to get the client public key in the SOAP message itself.

$ keytool -import -alias server -file Server.cer -keystore Client.jks




  • No labels