Creating Key Pairs for WS Security

Usage

  • Securing a Web service provider without a Security Token Service

    Refer to Creating Key Pairs for WS Trust

  • Authenticating a client with a Web service provider without a Security Token Service

    Authentication is performed once per session via a self- or externally-signed key pair directly in the Web service.

Creating a Self-Signed Key Pair

Proceed as follows

  1. Generate a key pair with the extension SubjectKeyIdentifier.

    Set the options according to your requirements:

    openssl req -x509 -days 365 -nodes -newkey rsa:2048 -subj "/C=myCountry/ST=myState/L=myCity/O=myOrganization/OU=myDepartment/CN=myServerName" ‑keyout selfsigned.key -out selfsigned.crt -extensions v3_ca

    Refer to https://www.openssl.org/docs/apps/req.html

  2. Convert the key pair generated in step 1 into the PKCS12 format in order to enable import into the Java keystore. You must assign a password.

    openssl pkcs12 -export -in selfsigned.crt ‑inkey selfsigned.key ‑out selfsigned.p12`

    Refer to https://www.openssl.org/docs/apps/pkcs12.html

  3. Import the PKCS12 file into the Java keystore.

    keytool -importkeystore -srckeystore selfsigned.p12 -srcstoretype pkcs12 ‑srcalias 1 -srcstorepass INUBIT -destkeystore selfsigned.keystore.jks ‑destalias tomcat -deststorepass <yourPassword>

    Refer to https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

  4. Generate a JKS truststore with the service certificate. Enter the password assigned in step 2 as the password.

    keytool -importcert -keystore selfsigned.truststore.jks -file selfsigned.crt -alias tomcat -storepass <yourPassword>

    Refer to https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

Creating an Externally Signed Key Pair

Proceed as follows

  1. Generate a keystore with an automatically generated certificate.

    Set the options according to your requirements:

    keytool -genkey -keyalg RSA -dname "CN=myServerName, O=myCompany IS, C=de" -validity 999 -keystore private.keystore -keypass <yourPassword> ‑storepass <yourPassword> -alias tomcat

    Refer to https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

  2. Export the certification request using the private key.

    keytool -certreq -v -alias tomcat -keystore private.keystore -storepass <yourPassword> -file server_request.csr

  3. Transmit the certification request to one of the certificate authorities (CA), e.g. D-Trust. The certificate authority returns a signed certificate for the Web service (in this case CAcert.cer) and your own public key (in this case public.cer).

  4. List all information on the service certificate. 509v3 and SubjectKeyIdentifier must be displayed.

    keytool -printcert -v -file public.cer

  5. Import the CA certificate to the private keystore.

    keytool -import -trustcacerts -alias cacert -file CAcert.crt -keystore private.keystore -storepass <yourPassword>

  6. Import the public key to the private keystore.

    keytool -import -trustcacerts -alias tomcat -file public.cer ‑keystore private.keystore -storepass <yourPassword>

  7. Generate the truststore with the public key.

    keytool -import -alias tomcat -file public.cer -keystore public.keystore ‑storepass <yourPassword>

  8. Import the CA certificate to the truststore to check the certificate chain.

    keytool -import -alias cacert -file CAcert.crt -keystore public.keystore ‑storepass <yourPassword>
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen