ssl client auth with self-signed certificates

Sorry, I meant to say that I need the certificate authority certificate to authenicate the
*server*'s certificate, which is "self-signed" using my certificate authority cert. Soapui pro 2.5
needs to find this "trusted certificate authority" cert somehow. Please advise. Thanks.

Hi Leigh,

I'm not sure exactly what errors/problems you are getting/having.. is it when you specify the certificate in the global SSL settings? Or when making a request?

regards!

/Ole
eviware.com

When I try to load the certificate authority certificate into soapui. I use
pem format (that's what openssl generates). Pl. advise. Thanks.

Hi,

ok.. and what error are you getting? Have you tried importing the pem file into a java keystore and specifying that instead?

regards!

/Ole
eviware.com

I've done what you recommended. The ssl handshake from soapui (client) to server still fails.

Let's recap the scenario.

On the server, I have apache httpd 2.2 proxying tomcat 5.5.27. Httpd handles the ssl
handshake and passes authenicated requests on to tomcat.

Both the client and the server have certificates which are self-signed by a root certificate I
created. Let's call it WandrianCA-cacert.pem.

I know the server portion (httpd + tomcat5) works correctly. I can send a canned request
using curl and get a response. I can do a cannel request using openssl and watch the ssl handsake. I can browse static content, served by tomcat, using Firefox with client certificate
authenication.

I can't get soapui to work.

Using the following commands, I've created a jks keystore soapui.jks:

keytool -v -keystore soapui.jks -import -file WandrianCA-cacert.pem # adds the signing cert
keytool -v -keystore soapui.jks -import -file support.pem -alias support # add client cert

$ keytool -list soapui.jks
Enter keystore password:  *****

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

support, Apr 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): EC:A6:B5:F5:4E:AD:A3:BC:3A:45:E8:42:8D:03:1D:80
mykey, Apr 29, 2009, trustedCertEntry,
Certificate fingerprint (MD5): CC:2B:8B:C0:E3:4F:AD:3D:E2:65:DE:37:A6:DF:B0:0D

Note that there are NO private keys. I don't believe I need any.
The certificate authority cert WandrianCA-cacert.pem will be used
to authenicate the server's certificate. The client certificate support.pem
will be used to respond to the server when the server requests authenication.

On the project properties tab, 'Keystores/Certificates' subtab, when I load
the keystore, I'm prompted for the password then then get the following
message in the 'status' column:

< no="" private="" keys="" found="" in="" keystore="">

Please advise ASAP. Thanks.

I think I have a workaround.

I've added my certificate authority certificate to the java cacert keystore
using keytool.

I then load the client certificate in the project 'Security Configurations' tab
and configure an "Outgoing WS-Security Configuration" using that certificate.
Finally, for a request, I configure the 'SSL Keystore' to be the client certificate.
To I have configure every request of every testcase like that, in other words bind
'SSL Keystore'? Or is there something global to set?

I'm about to update hundreds of requests one by one if I can't get an answer for the
'SSL Keystore' property. Is there a global "default" setting? Please advise. Thanks.

Hi Leigh,

there is a global keystore setting in the Preferences \ SSL tab, maybe you could set the keystore there instead?

regards!

/Ole
eviware.com

Global is probably the wrong scope. I have several projects and each requires
a different client certificate. There doesn't seem to be an 'SSL Keystore' property
in the project, service binding or test suite scopes? Pl. advise. Thanks.

Hi Leigh,

unfortunately global and request are the only scopes, obviously a shortcoming that should be addressed in an upcoming release.. What level would be most appropriate for your requirements? (Project? Endpoint? TestCase? etc..)

regards,

/Ole
eviware.com