Setting up two-way SSL, Java

5208 views August 9, 2017 May 25, 2020 6

The configuration described here may be used as a guideline through the installation and configuration of the certificate. This recipe applies to a Linux and Java environment.

Configuration process

The configuration process contains the following steps:

  1. Order and Download Certificate
  2. Set Certificate Permissions
  3. Test Certificate Implementation
  4. Multiple Client Certificates

1. Order and Download Certificate

For details, please read this process description: Get a client SSL web service certificate.

A technical responsible person sends an order to and orders a production WS SSL certificate of the customer service. The order must contain e-mail and mobile number of the person responsible.

Signicat Operations will send an activation URL on e-mail, and an activation code on SMS to the mobile phone to technical responsible. The certificate may be downloaded using this code.

NB! This activation URL is active within 15 minutes after it has been issued

After the certificate is downloaded, another SMS with a decryption password to the certificate will be sent to the same mobile number.

2. Set Certificate Permissions

Place the certificate in a secure folder with read/write restrictions, and change the read/write restrictions on the certificate file so that only the user/process that run your application have read rights to it.

3. Test Certificate Implementation

Write a web client which does a request to

Web Client
public static void main(String[] args) {
        // Insert certificate info here

        // Connect
        SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket("",443);

        // Send HTTP GET request
        BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(sslSocket.getOutputStream(), "UTF8"));
        bufferedWriter.write("GET /ws/documentservice-v2?wsdl HTTP/1.1\r\nhost:\r\n\r\n");

        // Read response
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(sslSocket.getInputStream()));
        String string = null;

        while ((string = bufferedReader.readLine()) != null) {


        // Close connection.

    }catch(Exception exception){

We will get a HTTP/1.1 403 Forbidden in return. This is because access to the is restricted and requires two-way SSL setup, and in the example above we haven’t added the issued certificate. If we add the following lines to the top of the Web Client, below the comment “Insert certificate info here”.

3.1 Using PKCS12 private key
System.setProperty("", "PKCS12");


3.2 Using JKS keystore

To use the a JKS keystore it’s necessary to import the PKCS12 file or files into a keystore. This is done using the Java keytool.

Example on how to create a new keystore using the Java keytool:

NB: The keystore password must be the same as the PKCS12 certificate password


keytool -importkeystore -srckeystore web-service-certificate.p12 -srcstoretype PKCS12 -destkeystore web-service-keystore.jks
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Import command completed: ...
Storing web-service-keystore.jks​
System.setProperty("", "JKS");

After including the certificate into the web client we will get a HTTP/1.1 200 OK and some additional data as a response to our request. This indicates that the certificate is working and correctly implemented in the client.

Was this helpful?