I am creating a client to connect to a .Net web service using cxf and WS-Security. I was given a certificate (.pfx) from the
web-service owner. I converted the .pfx to a der (.cer) certificate.
I then created a new keystore using the command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore sometrust.jks -storepass myownpass -validity 360 -keysize 2048
Then imported the converted certificate from the client:
keytool -import -trustcerts -alias mywebservice -file converted.cer -keystore sometrust.jks
The import seems to have completed correctly and I can list the certs in the keystore.
I'm pretty sure my configuration is correct and I've config'd the WSS4JOutInterceptor with 'mywebservice' (the alias of the key I want to use) but when I run the code I get an error:
Cannot find key for alias: [mywebservice]
Admittedly there are holes in my PKI understanding but is there an obvious step in my keystore management I'm missing?
usually a .pfx contains not just a certificate but also a private key. Perhaps the web service owner requires client authentication. Apart from the wisdom of having them hand you your private key the simplest thing to do is either to use the .pfx file as is and configure the client to use it as a PKCS12 keystore, or else create a default keystore and then import the .pfx file as a PKCS12 keystore using the -importkeystore keytool command.
So -srckeystore should be the path to the .pfx file, -srckeystoretype should be PKCS12, and -destalias should be mywebservice.
The first command -keygen is only useful for its side effect of creating the keystore.
Nice to meet you.
Joined: Nov 10, 2007
Excellent reply, thank you.
I initially had trouble getting the .pfx file imported but eventually found out how to get the required alias using
keystore -list -v -keystore somefile.pfx -storetype pkcs12
since you suggested -destalias (-alias is required if using -destalias). I do want to set my alias so this was correct.
I'm now getting an NPE (Fault string, and possibly fault code, not set) but at least I no longer get messages
regarding the keystore.