Two Laptop Bag
The moose likes Security and the fly likes CXF keystore question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "CXF keystore question" Watch "CXF keystore question" New topic

CXF keystore question

Darrel Davis

Joined: Nov 10, 2007
Posts: 5
I am creating a client to connect to a .Net web service using cxf and WS-Security. I was given a certificate (.pfx) from the
web-service owner. I converted the .pfx to a der (.cer) certificate.

I then created a new keystore using the command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore sometrust.jks -storepass myownpass -validity 360 -keysize 2048

Then imported the converted certificate from the client:
keytool -import -trustcerts -alias mywebservice -file converted.cer -keystore sometrust.jks

The import seems to have completed correctly and I can list the certs in the keystore.

I'm pretty sure my configuration is correct and I've config'd the WSS4JOutInterceptor with 'mywebservice' (the alias of the key I want to use) but when I run the code I get an error:
Cannot find key for alias: [mywebservice]

Admittedly there are holes in my PKI understanding but is there an obvious step in my keystore management I'm missing?

greg stark
Ranch Hand

Joined: Aug 10, 2006
Posts: 220
usually a .pfx contains not just a certificate but also a private key. Perhaps the web service owner requires client authentication. Apart from the wisdom of having them hand you your private key the simplest thing to do is either to use the .pfx file as is and configure the client to use it as a PKCS12 keystore, or else create a default keystore and then import the .pfx file as a PKCS12 keystore using the -importkeystore keytool command.

So -srckeystore should be the path to the .pfx file, -srckeystoretype should be PKCS12, and -destalias should be mywebservice.

The first command -keygen is only useful for its side effect of creating the keystore.

Nice to meet you.
Darrel Davis

Joined: Nov 10, 2007
Posts: 5
Excellent reply, thank you.

I initially had trouble getting the .pfx file imported but eventually found out how to get the required alias using
keystore -list -v -keystore somefile.pfx -storetype pkcs12
since you suggested -destalias (-alias is required if using -destalias). I do want to set my alias so this was correct.

I'm now getting an NPE (Fault string, and possibly fault code, not set) but at least I no longer get messages
regarding the keystore.

Further down the road. Back to the code ;)

Thanks again.
I agree. Here's the link:
subject: CXF keystore question
It's not a secret anymore!