Providing certificates for Web Application services API calls

Mutual authentication is required for calls to the Web Application services APIs. Therefore, the caller must hold a client certificate to be able to establish a TLS connection with the server and to call the APIs. You can create a client certificate yourself or you can request one from an external certificate authority (CA) provider.

About this task

For an example of how to obtain a client certificate, see the sample procedure for creating a client certificate for the Web Application services API. Depending on the way in which an API request is submitted, the client certificate must either be installed on the machine that hosts the web client or the client certificate must be provided with the request.

Procedure

  • Provide certificates for web clients.
    Import the client certificate.
    Internet Explorer 7
    1. Select Tools > Internet Options.
    2. On the Content tab, click Certificates.
    3. On the Personal tab, click Import.
    4. Select the file that holds the client-certificate keystore. Make sure that the store contains the certificate along with its key and import it.
    5. On the Trusted Root Certification Authorities tab, there must be an entry for the CA that created the client certificate. The trusted entry for that authority will be in the keystore file if you exported the certificate chain and should be imported automatically. If not, import it manually.
    Mozilla Firefox 3.5
    1. Select Tools > Options > Advanced.
    2. On the Encryption tab, click View Certificates.
    3. On the Your certificates tab, click Import to import the certificate from the keystore file on your disk.
    4. On the Authorities tab, there must be an entry for the CA that issued the certificate you just imported. If it is missing, import that one as well.
  • Provide certificates for Java™ clients.
    1. Copy the file containing the client certificate to the machine that hosts the client calling the Web Application services API. The file must contain the complete certificate chain, including the trusted entry for the CA that issued the certificate.
    2. Add the server certificate, which the web application server sends to its clients for identification, as a trusted entry to the keystore. You can use any browser that already has imported that server certificate to export the certificate to disk.
    3. Use the ikeyman tool to import the keystore holding the server certificate to the keystore that holds the client certificate. As a result, the keystore will contain trusted entries for the machine hosting the web application server and the CA that issued the client certificate as well as an entry for the client certificate itself.

    When you develop the Java client for the Web Application services API call, use that keystore when you create the KeyManager object that will be used in your SSLContext class.