Hi Chris, It sounds like you might be best off using your own Certificate Authority. That way you'd only need to import the CA's signing certificate into your trust store, not every individual client certificate (and if you configure it correctly, *only* certificates signed by that CA will be accepted by the server).
The safest way to manage the certificates is to generate the public/private key pair on the client, then export a certificate request containing the generated public key (Java's keytool or any number of other programs will allow you to do this). The owner of the client system can then just email the certificate request to the CA administrator, and if the owner's request is valid the CA can email back a certificate. The owner of the client system would then need to import the certificate into their keystore (where they saved the private key that matched the certificate request), and use that keystore for the SSL/TLS connection. If you do a search you should find plenty of information to set this up. I think Glen Mazza had a blog posting about using OpenSSL for your own CA a while ago, so you might want to start there (keeping this in the CXF family ;-) ). - Dennis Dennis M. Sosnoski Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html> Axis2/CXF/Metro SOA and Web Services Training <http://www.sosnoski.com/training.html> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> On 05/20/2011 07:51 PM, Chris Richmond wrote: > I have succesfully tested a CXF based service and client in java using > 2 way SSL in code only(no spring), following this example: > > http://aruld.info/programming-ssl-for-jetty-based-cxf-services/ > > Now, I am simply reusing the same keystores/truststores from the cxf > example but I am having difficulty figuring out the workflow for > securing my own service. What I want to achieve is having a 2 Way SSL > cxf web service which i will generate certs for on the server side, > then the administrator will hand out those certs to trusted developers > and make an entry in the server's trust store for those certs? That > cert can be used by client developers to submit with their requests > for 2 way SSL. > > I *think* the workflow will be like this, but I need advice on this. > > create a keystore on the server machine. > create a truststore on the server machine. > generate a key in the keystore for a particular client to use/ > export that key's certificate and import that cert into the server's > truststore so that server will trust/allow any clients using that cert > access. > hand out that cert to client developer via email, thumbdrive, etc(not > important how) > the client puts that cert into their keystore? Truststore? > > The client needs to have a keystore and truststore as wel does it not? > But I'm not exactly sure what/where the client needs to put that cert > in order to call the server via CXF. The example I used above has > prebuild key/truststores for client/server but has no instruction on > how they were built and what exactly is being accessed in each one in > that code. > > Then I was thinking that the server admin can remove a cert from their > truststore(or revoke?) in case he thinks that cert has been compromised . > > Is my thinking on this correct? Assuming the server side is correct, > what does a new client developer have to do keystore/trustore wise in > order to effectively use that cert? > > Thanks very much, > Chris >
