We can create a client certificate for a JAX-RPC SOAP client (in JKS java keystore), or a version of the same client certificate for a browser (usually a pkcs12 file). Like for the server keystore we just created, we have to put the private and public key in the same container (protected by a password).
Here we put security on the client-side, that means the client must take care of the privacy of his private key. If the server can decrypt the message with the public client key, that means that only the client was able to generate the message with his associated private key. Provided only the client have this particular private key and not a bad guy.... And by this process the client is authentified.
We can create our client private key and our CSR (Certificate Signing Request) in one command with openssl:
[your_prompt]$ openssl req -new -newkey rsa:1024 -nodes -out client/client.req -keyout client/client.key
Then sign the csr with your own CA (you will have to specify the pass-phrase of the CA):
[your_prompt]$ openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req -out client/client.pem -days 100
For a use with a java soap client we need the certificate in a JKS keystore format. But to access the endpoint of a web service with a browser (to read the wsdl for example) we will have to use the pkcs12 format.
As usually, we create first the pkcs12, always with openssl, this time to use with a browser. By the way, you have to create a password, wich will be used by client to import the certificate in their browser.
Find here the -export option allowing openssl to create a pkcs12 file from scatch. The -clcerts help you to fine-tune the design of the pkcs12 certificate for easy export to browser. And finally -name allow you to specify a name as an alias also integrated in the future keystore.
[your_prompt]$ openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key -out client/client.p12 -name your_certificate_client_name
And finally we generate our client keystore for our java soap client. You can use the same password here, the Java soap client will use it to access the client.jks keystore.
[your_prompt]$ java org.mortbay.util.PKCS12Import client/client.p12 client/client.jks
|Create and sign your server certificate||Tomcat client authentication: server and browser configuration|