Using X.509 Certificates
The X.509 Certificate Token Profile ( pdf ) provides another option for implementing WS-Security. For the Signature and Encryption actions, you'll need to create a public & private key for the entities involved. You can generate a self-signed key pair for your development environment via the following steps. Keep in mind these will not be signed by an external authority like Verisign, so are inappropriate for production use.
1. Creating private key with given alias and password like "myAlias"/"myAliasPassword" in keystore (protected by password for security reasons)
keytool -genkey -alias myAlias -keypass myAliasPassword -keystore \
privatestore.jks -storepass keyStorePassword -dname "cn=myAlias" -keyalg RSAThe alias is simply a way to identify the key pair. In this instance the RSA algorithm is used.
2. Self-sign your certificate (in production environment this will be done by a company like Verisign).
keytool -selfcert -alias myAlias -keystore privatestore.jks -storepass
keyStorePassword -keypass myAliasPassword3. Export the public key from our private keystore to file named key.rsa
keytool -export -alias myAlias -file key.rsa -keystore privatestore.jks
-storepass keyStorePassword4. Import the public key to new keystore:
keytool -import -alias myAlias -file key.rsa -keystore publicstore.jks
-storepass keyStorePasswordSo now you have two keystores containing our keys - a public one (publicstore.jks) and a private one (privatestore.jks). Both of them have keystore password set to keyStorePass (this not recommended for production but OK for development) and alias set to myAlias. The file key.rsa can removed from filesystem, since it used only temporarily. Storing keys in keystores is strongly advised because a keystore is protected by a password.
A more detailed description of key generation can be found here: http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html
How to create a production certificate can be found here: http://support.globalsign.net/en/objectsign/java.cfm