Hi Chris The certificates shipped with CXF are self signed certificates which means that the server certificate must be imported into the client truststore and vice versa.
It depends on the amount of clients and servers you have but I might consider to introduce a certificate authority (CA). Both, client and server trust certificates which has been issued (signed) by this CA. That means, that client and server has to add the CA certificate into the truststore only. In addition, the server must add its certificate and private key into the keystore and similar for the client. Does this make sense to you? Thanks Oli ________________________________________ Von: Chris Richmond [[email protected]] Gesendet: Freitag, 20. Mai 2011 09:51 An: [email protected] Betreff: Key/cert managment with CXF I have succesfully tested a CXF based service and client in java using 2 way SSL in code only(no spring), following this example: http://aruld.info/programming-ssl-for-jetty-based-cxf-services/ Now, I am simply reusing the same keystores/truststores from the cxf example but I am having difficulty figuring out the workflow for securing my own service. What I want to achieve is having a 2 Way SSL cxf web service which i will generate certs for on the server side, then the administrator will hand out those certs to trusted developers and make an entry in the server's trust store for those certs? That cert can be used by client developers to submit with their requests for 2 way SSL. I *think* the workflow will be like this, but I need advice on this. create a keystore on the server machine. create a truststore on the server machine. generate a key in the keystore for a particular client to use/ export that key's certificate and import that cert into the server's truststore so that server will trust/allow any clients using that cert access. hand out that cert to client developer via email, thumbdrive, etc(not important how) the client puts that cert into their keystore? Truststore? The client needs to have a keystore and truststore as wel does it not? But I'm not exactly sure what/where the client needs to put that cert in order to call the server via CXF. The example I used above has prebuild key/truststores for client/server but has no instruction on how they were built and what exactly is being accessed in each one in that code. Then I was thinking that the server admin can remove a cert from their truststore(or revoke?) in case he thinks that cert has been compromised . Is my thinking on this correct? Assuming the server side is correct, what does a new client developer have to do keystore/trustore wise in order to effectively use that cert? Thanks very much, Chris
