Request using client auth (keystore)

Hi,

after a lot of frustration I got it to work!
I'll share this with you, hopefully it'll help someone

I first followed all tips from the first post (to avoid the handshake error etc). I still got the 403 .
I made a little test page to see the client certificate info (see below), and saw that there was no certificate being presented at all by SoapUI.
Then I started messing around and finally got it to work.
What made the difference was to include the whole key CA trust chain, up to and including the root CA, in the keystore.

On windows I did this by re-exporting the pfx (=keystore file):

• Install all the intermediate CA's and the root CA (any windows system will do for this, doesn't have to be the server or even the soapUI client system).
  In my case, it was a test hierarchy so I got a bunch of .cer files from the test certificate provider's website. To install them, double-click them in windows explorer and hit install. Be sure to select the 'Trusted Root CA' store for your root certificate and the 'Intermediate CA' store for the others.


• Install the client certificate in the 'personal' store. Just double-click the pfx file and hit 'Install'. Be sure to check 'mark as exportable'.


• Re-Export the client certificate.
  You can do this from the certificate management console or open the system certificates store from Internet Explorer settings dialog (Internet Options > Content > Certificates).
  
  • At this point, your client certificate should be in the 'personal' store. if you double click it, it should show as valid AND it should say 'you have a private key corresponding to this certificate'. On the tab 'certification path' of the client certificate, the whole CA hierachy should show up and you should be able to open every one of them.
  
  Now hit the 'export' button to start the certificate export wizard.
  
  • Choose 'Yes, export the private key'.
  
  
  • Next, select 'Include all certificates in the certificate path'
  
  
  • Enter a new password to protect your new pfx file and choose a filename to save it
  
  
  
  

Put your new pfx in the soapUI project settings (project view > security config > keystores /certificates). Use the new password you entered when exporting the pfx. Now, the file name of the pfx file should show up in the dropdown 'keystore' of each request properties (box in the bottom left).

That's all!

[hr:1pwt12g7][/hr:1pwt12g7]
Here's the small aspx info page which I used to see if the certificate was presented and dump the client certificate info.
(I use IIS7 server by the way, but this should also work on IIS6):

<%@ Page language="C#" %>
<!DOCTYPE html >
<html>
 <head><title>Certificate Info Page </title></head>
 <body>
  <h1>Server: <%= System.Environment.MachineName %></h1>
  Request.IsAuthenticated: <%= Request.IsAuthenticated %><br />
  IsSecureConnection:<%= Request.IsSecureConnection %>

  <H3>Client Certificate Information</H3>
  <%  if (!Request.ClientCertificate.IsPresent)
    Response.Write("<h4>No certificate was presented.</h4>");
   else foreach (string key in Request.ClientCertificate.AllKeys)
    Response.Write(string.Format("<p><b>{0}&nbsp;:&nbsp;</b>{1}</p>", key, Request.ClientCertificate[key]));  
  %>
 </body>
</html>

[hr:1pwt12g7][/hr:1pwt12g7]

Hope this helps someone!