Re: Adding X.509 certificate to SOAP Header

From: Andy Wolf <>
Date: Fri, 21 Jan 2005 13:00:29 +0100

Hello Paul,

Paul Worrall wrote:
> They had me go through a process with a web app, Microsoft Certificate
> Services, to request a certificate. Among other details I was
> instructed to ask for a Client Authentication Certificate and
> subsequently use IE to export it to a .cer file.

So what you got is a client certificate. I assume that during the
process they have had your IE create the public and private keys and
sumbit the public key to the server as part of a certificate signing
request. At least this is something I have seen at other similar processes.

Now the question is what has been exported by IE into the .cer file.
Only the Certificate including the public key? Most probably you will
need the private key as well...

> As my first assumption was that it was for SSL mutual authentication I
> successfully set up a keystore and a trust store. I obtained their
> server certificate and put that and the certificate provided in the
> appropriate keystores.

Well this sounds like server certificate only which might not be enough.
As they apparently are talking about a client certificate you might have
to use either both client and server certificate (for authentication) or
only the client certificate (for decryption).

For authentication you will need the server certificate including the
public key for verification of the server identity and you will need the
client certificate resp. the client private key for encrypting a token
that the server can decrpyt for verification of identity.

> That all worked as far as SSL was concerned

So you were already able to set up an SSL connection including server
and client authentication?

> but then I got a SOAP fault.
> javax.xml.rpc.soap.SOAPFaultException: No authorised X.509 certificate
> detected

Not authorized sounds like the certificate of the certification
authority could not be found. Have you checked the truststore setup?

>>>From the .NET peoples perspective they provide the following example
> VB.NET code for users of their web service:

> Their presumption is that I have a Java API that is similar. They just
> create a certificate object and add it to the webservice object.

Obviously you will have to dig deeper into this .NET stuff and find out
what really happens here :-)

Good luck...Andy

To unsubscribe, e-mail:
For additional commands, e-mail: