• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Piet Souris
  • salvin francis
  • Stephan van Hulst
  • Frits Walraven
  • Carey Brown
  • Jj Roberts

CXF keystore question

Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am creating a client to connect to a .Net web service using cxf and WS-Security. I was given a certificate (.pfx) from the
web-service owner. I converted the .pfx to a der (.cer) certificate.

I then created a new keystore using the command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore sometrust.jks -storepass myownpass -validity 360 -keysize 2048

Then imported the converted certificate from the client:
keytool -import -trustcerts -alias mywebservice -file converted.cer -keystore sometrust.jks

The import seems to have completed correctly and I can list the certs in the keystore.

I'm pretty sure my configuration is correct and I've config'd the WSS4JOutInterceptor with 'mywebservice' (the alias of the key I want to use) but when I run the code I get an error:
Cannot find key for alias: [mywebservice]

Admittedly there are holes in my PKI understanding but is there an obvious step in my keystore management I'm missing?

Ranch Hand
Posts: 220
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
usually a .pfx contains not just a certificate but also a private key. Perhaps the web service owner requires client authentication. Apart from the wisdom of having them hand you your private key the simplest thing to do is either to use the .pfx file as is and configure the client to use it as a PKCS12 keystore, or else create a default keystore and then import the .pfx file as a PKCS12 keystore using the -importkeystore keytool command.

So -srckeystore should be the path to the .pfx file, -srckeystoretype should be PKCS12, and -destalias should be mywebservice.

The first command -keygen is only useful for its side effect of creating the keystore.
Darrel Davis
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Excellent reply, thank you.

I initially had trouble getting the .pfx file imported but eventually found out how to get the required alias using
keystore -list -v -keystore somefile.pfx -storetype pkcs12
since you suggested -destalias (-alias is required if using -destalias). I do want to set my alias so this was correct.

I'm now getting an NPE (Fault string, and possibly fault code, not set) but at least I no longer get messages
regarding the keystore.

Further down the road. Back to the code ;)

Thanks again.
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic