SoapUI 2-way SSL problem using PKCS12

If you like me spend a lot of time in the swiss-army-knife of webservice development called SoapUI when not in Visual Studio or PowerPoint, you could end up getting bitten by this problem.


Java based SoapUI has great built-in support for both consuming webservices and exposing mockservices using 2-way SSL aka. two-way or mutual SSL. It is a proven and interoperable way to exchange data in B2B and enterprise scenarios in a secure way. It means that during the TLS/SSL handshake the client proves its identity to the server using a PKI challenge the same way as the server does to the client in normal TLS/SSL. To allow this the client needs a client certificate with a corresponding private key.


Doing most of my work in .NET i tend not to use the JKS (Java Key Store) that much and to call a webservice requiring certificate authentication in SoapUI i just point to a PKCS12 file directly. The PKCS12 file (.P12 or .PFX) are easy to move to and from the windows certificate store and is one of the standard containers for certificates with private keys.




Normally this works perfect but if you are having trouble getting the SSL handshake to work one (of many) reason can be that the client certificate you are using has a trust chain including anĀ intermediate CA which is getting more and more common.
The symptom is that SoapUI during the handshake simply wont participate in the client authentication thus leaving you with either a 403 or simmilar.




In .NET this normally just works as you most likely have the complete chain of trusted certificate issuers in the Windows Certificate Store. But in SoapUI and other Java clients you can no longer rely just on the P12 file.


To solve this for SoapUI and other Java applications you need to create a JKS file containing the full certificate chain under the same alias.


1. Convert the PKCS12 to a JKS using Javas keytool.exe utility. You can find the utility in Javas JRE\BIN folder. If not elsewhere you have this together with the SoapUI installation.


jre\bin\keytool.exe -importkeystore -srckeystore MYCLIENTCERT.P12 -destkeystore MYCLIENTCERT.JKS -srcstoretype PKCS12 -deststoretype JKS -deststorepass password -srcstorepass password -destalias my-client-cert-alias -srcalias "my client cert"


2. Then you need all public certificates in the chain including both root and intermediate CA cert. Export them from windows certificate store in Base64 format (.CER)


3. Open all three files in a texteditor and chain them like this:
Save the file as my-complete-cert-chain.pem


4. Import the file to the JKS using
jre\bin\keytool.exe -import -keystore MYCLIENTCERT.JKS -alias my-client-cert-alias -file my-complete-cert-chain.pem


Now you got a JKS with your client certificate certificate chain that should work fine in SoapUI or in other Java-based webservice clients. šŸ™‚

7 thoughts on “SoapUI 2-way SSL problem using PKCS12”

  1. I’ve been banging my head against a wall for a while now with this. So soapUI just does not play nice with PFX or PKCS12 files?

    1. Its more a case of Java not playing nice with PFX/P12 files used as client-certificates that does not have the complete certificate chain in the file.

  2. Hi ,
    I followed your article and it was very helpful, however at the end SoaupUI complains about ” No private keys found in keystore”. I believe when the certificate was made by the org root CA , it would not provide the private key. how to go about it or am I missing something here.

  3. @Gaurav – yes you will need the private key in the JKS file in addition to the complete certificate chain. If you look at step 1 i have a PKCS12 file as a start which does contain the private key. I convert it to a JKS and then add the complete certificate chain to it. Your JKS will then contain 4 things : your-certificate-private-key/your-certificate/intermediate-certificate/root-certificate.

  4. IĀ“d like to thank you so much, i spent about 12 hours in a row trining to figure out this problem and i just did what do you say and it worked! very glad ! may god keep on blessing you

  5. I am facing same issue, in SOAP UI I am able to get response after adding certificate. But in Java I am getting exception as Client received SOAP Fault from server: Rejected by policy. Please see the server log to find more detail regarding exact cause of the failure.
    I tried to export it manually, still same issue, can you please check, I am stuck with this issue for two days!

    SSLContext sc = SSLContext.getInstance(“TSLv1”);
    KeyManagerFactory kmf =KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm() );
    KeyStore ks = KeyStore.getInstance(“JKS”);
    ks.load(new FileInputStream(“MYCLIENTCERT.JKS”), “keystorePassword”.toCharArray() );
    kmf.init( ks, “srcPassword”.toCharArray() );
    sc.init( kmf.getKeyManagers(), null, null );
    ((BindingProvider) bp).getRequestContext().put(
    sc.getSocketFactory() );

Leave a Reply

Your email address will not be published. Required fields are marked *