This example demonstrates how to configure ssl with a custom keystore and required key based client auth using a plain DOSGi service with a custom intent.
We want the karaf HttpService to be secured by https and require a client certificate for authentication.
Create client and server keys.
Add client certificate to server
mkdir -p etc/keystores
keytool -genkey -dname CN=localhost -keyalg RSA -validity 100000 -alias serverkey -keypass password -storepass password -keystore etc/keystores/keystore.jks
keytool -genkey -dname CN=chris -keyalg RSA -validity 100000 -alias clientkey -keypass password -storepass password -keystore etc/keystores/client.jks keytool -export -rfc -keystore etc/keystores/client.jks -storepass password -alias clientkey -file client.cer keytool -import -trustcacerts -keystore etc/keystores/keystore.jks -storepass password -alias clientkey -file client.cer
keytool -exportcert -storepass password -keystore etc/keystores/keystore.jks -alias serverKey -file server.cert
keytool -importcert -storepass password -keystore etc/keystores/client.jks -alias serverKey -file server.cert
feature:repo-add cxf-dosgi 2.0-SNAPSHOT feature:install cxf-dosgi-provider-ws install -s mvn:org.apache.cxf.dosgi.samples/cxf-dosgi-ri-samples-ssl-interface/2.0_SNAPSHOT install -s mvn:org.apache.cxf.dosgi.samples/cxf-dosgi-ri-samples-ssl-impl/2.0-SNAPSHOT install -s mvn:org.apache.cxf.dosgi.samples/cxf-dosgi-ri-samples-ssl-client/2.0-SNAPSHOT
If you want to access the service using your browser then you have to export it in pkcs12 format and import it into your browser.
# Export client cert as pkcs12 for browser keytool -importkeystore -srckeystore etc/keystores/client.jks -destkeystore etc/keystores/client.p12 -deststoretype PKCS12
Access the service as . Add a security exemption to accept the server certificate.