This documentation is for WSO2 Enterprise Service Bus version 4.7.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

Following is information on setting up keystores for a client and a service using openssl suite and the Java keytool utility available with the JDK.

Step 1. Create Certificate Authority Keys

A certificate authority (CA) is an entity trusted by all parties participating in a secure communication. This entity will certify the trusted party's public keys by signing them. Since the certificate authority is a trusted one, it will accept the public key certificates signed by that particular CA as trusted.

First, we will create a new self-signed key pair for the certificate authority. We will use openssl to create this key pair.


Download the following three files and copy them to the directory that will be used to create the keys serial.htm_.txt, openssl.cnf and index.txt.

1. Try the following from the same directory where you have saved the above files:

openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf

2. Now you will be asked a set of questions in creating the key pair as shown below:

The result of the above will create two files:

  • cakey.pem - Contains the encrypted private key.
  • cacert.pem - Contains the public key certificate signed using the private key.

Step 2. Create Client and Service Keys

1. Create the two sets of keys for the service and the client using the keytool that comes with the JDK.

You can use the keytool - genkey to create a key pair and store it in a keystores using the following command:

keytool -genkey -alias client -keyalg RSA -keystore client.jks

2. Once again you will be asked a series of questions as shown below:

3. The created keys are stored in the client.jks file which is a Java KeyStore under the alias client. To verify this fact, we can list the contents of the keystores as shown below.


We will use "18091980" (without quotes) as the password of both keys and keystores.

keytool -list -v -keystore client.jks -storepass 18091980

4. Similar to the way we created the client's keys, create the service's keys using the following command:

keytool -genkey -alias service -keyalg RSA -keystore service.jks

Step 3. Produce Signed X509 Certificates

We can create signed X509 (version 3) certificates using openssl using certificate requests.

1. Create the certificate requests using the generated keys for the client and the service.

For client:

keytool -certreq -keystore client.jks -storepass changeme -alias client -file client.cert.req

For service:

keytool -certreq -keystore service.jks -storepass changeme -alias service -file service.cert.req

2. The above commands will create the client.cert.req and service.cert.req files which we will use in the next step to produce X509 certificates signed by the private key of the CA using the "openssl ca" command.

For client:

openssl ca -config openssl.cnf -out client.pem -infiles client.cert.req

For service:

openssl ca -config openssl.cnf -out service.pem -infiles service.cert.req


The CA's configuration (openssl.cnf) file is configured to point to the cakey.pem file as the private key to use.
The output produced in the client.pem and service.pem files are plain text. To import these signed certificates into the keystores, convert them into the binary (DER) format using openssl x509 command.

For client:

openssl x509 -outform DER -in client.pem -out client.cert

For service:

openssl x509 -outform DER -in service.pem -out service.cert

3. Convert the CA's certificate to the binary form to be imported to both keystores.

openssl x509 -outform DER -in cacert.pem -out cacert.cert

Step 4. Import the Certificates

1. Import the CA's self-signed certificate to both client and service keystores. Use the alias ca to identify the CA's certificate. The keytool will display the information in the certificate and will ask for confirmation to import.

For service:

keytool -import -file cacert.cert -keystore service.jks -storepass 18091980 -alias ca

For client:

keytool -import -file cacert.cert -keystore client.jks -storepass 18091980 -alias ca


When we type in "yes" and confirm the import, the CA's certificate will be imported as a trusted certificate entry.

2. The certificate is added to keystores.

3. Import the signed certificates to the keystores.

4. Since the certificate being imported matches the certificate of the given alias and is signed by the trusted CA cert (which is now in the keystore), the keytool will simply import the signed certificate and respond with the following.

For client:

keytool -import -file client.cert -keystore client.jks -storepass 18091980 -alias client

For service:

keytool -import -file service.cert -keystore service.jks -storepass 18091980 -alias service


We must import the CA's certificate before importing the other certificates.

5. In order to allow secure communication between the client and the service, make sure that each party has the others' public key with them.

6. Import the client.cert into the service's keystore and the service.cert into the client's keystore.

7. Since certificates added are signed by a trusted certificate, they will be simply imported to the keystore and the keytool will confirm that with the following output.

keytool -import -file client.cert -keystore service.jks -storepass 18091980 -alias client

keytool -import -file service.cert -keystore client.jks -storepass 18091980 -alias service

8. Now we have two keystores for the client and the service including their key pairs and the certificates of the other party and the certificate authority.


  • No labels