How to obtain a CA-signed certificate for use with WS-Security?

[paul <pa...@hotmail.com>]

Hi, I'm using CXF 2.2.10 along with WS-Security for signatures.  I need to
obtain a CA-signed certificate for use in production, but there does not
appear to be much (in the search engines) on how to request this from a
company like Verisign, Thawte, etc.  I understand that the process involves
creating a CSR... but the public CAs seem to offer two kinds of certificate
signing: "SSL" or "Code Signing".  It seems like what's needed for
WS-Security is neither of those (it's not a web-site, nor is a JAR file
being signed), so how would one go about submitting the CSR to Verisign (or
any other similar public CA)? Would an SSL certificate work for a SOAP
Signature, when using CXF?

--
View this message in context: http://cxf.547215.n5.nabble.com/How-to-obtain-a-CA-signed-certificate-for-use-with-WS-Security-tp4268452p4268452.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: How to obtain a CA-signed certificate for use with WS-Security?

[David Valeri <dv...@gmail.com>]

I am pretty sure I have been using certificates with the SSL extensions (both client and server) for signing for years.  I do believe they had some combo of Digital signature, Non-repudiation, and Key encipherment as Key Usage extensions depending on if it was a client/user or server cert.  If you check out SSL certificates from your favorite Web site, you can get an idea of what the typical SSL server certificate looks like. 

If you want to know specifically what a working certificate looks like, have a look at the key stores used in the unit/integration tests in CXF [1] (passwords are in the properties files) and I also have some I use at my blog [2] (password is password for all keys).  You can check these using KeyTool or Portecle.  These should all look very similar to the certificates you find on Web sites.

You raise a good point that application (Web service) identity is not necessarily tied to machine identity (a host or host name), but you can use the same identity for both.

Hopefully somebody who has actually been through the entire process can chime in and confirm since I have always had the certificates handed to me or self-generated for development.

[1] http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/test/resources/
[2] http://code.google.com/p/davidvaleri/source/browse/projects/examples/pki/

On Mar 28, 2011, at 6:24 PM, paul wrote:

> Hi, I'm using CXF 2.2.10 along with WS-Security for signatures.  I need to
> obtain a CA-signed certificate for use in production, but there does not
> appear to be much (in the search engines) on how to request this from a
> company like Verisign, Thawte, etc.  I understand that the process involves
> creating a CSR... but the public CAs seem to offer two kinds of certificate
> signing: "SSL" or "Code Signing".  It seems like what's needed for
> WS-Security is neither of those (it's not a web-site, nor is a JAR file
> being signed), so how would one go about submitting the CSR to Verisign (or
> any other similar public CA)? Would an SSL certificate work for a SOAP
> Signature, when using CXF?