How to generate SSL certificate with private key?

When I try to configure WS-AT trans开发者_JS百科actions on windows the system claims I cannot use particular SSL certificate because it has no private key. I tried self signed certificate and one provided by StartSSL - no luck.

I think thanks to extensions it is possible to create certificate with attached private key, the question is is there such tool? Or is there a piece of software that can export it from glassfish keystore?

---

From what I see in the screencast you noted in your comments, the tiny.cer is the server certificate that you import on the Windows side. You don't need the private key of that certificate, on the Windows side.

The mrbean.cer is the certificate that you import to the jks on the server side. You don't need the private key of that certificate on the server side either.

Which system is complaining about a lack of private key? If it's the Windows side, then look at the certificate details in the MMC Certificates snap-in. At 25:26 in the screencast, you can see the certificate details of the tini.east.sun.com certificate. Note that there is no private key associated with the certificate. This is fine.

What the screencast doesn't show (or I didn't see it scanning through it quickly) are the details of the mrbean certificate, on the Windows side. On the Windows system you need the private key, if you are using the mrbean certificate to connect using SSL to the server. For that certificate on your Windows system, the certificate details tab should show a small icon of a key and the text, "You have a private key that corresponds to this certificate." (The private key isn't actually part of the certificate -- it's stored separately.)

You don't need to export this private key or copy it to the server, in fact, you do NOT want to copy the private key to the server. You want the private key of the mrbean certificate kept safely on the Windows system.

However, if you are using it to connect, as the client certificate for an SSL connection, then there must be a private key showing in the MMC snap-in, and, additionally, the Windows account that is doing the SSL connecting MUST have access to the private key. When you import the client certificate (mrbean) on the Windows side, the Windows account you are logged in as will have access to the private key, but if the code doing the connecting is running under a different Windows account, it does not.

In the MMC snap-in, right click on the certificate (mrbean) and select "All Tasks -> Manage Private Keys". From there, you can give Read access to the Windows account that is doing the SSL connecting. (Be careful -- whoever you give read access to the private key to, can use the certificate to connect via SSL using that certificate.)

So I'm not sure this is the problem, but if it is the Windows side complaining about a lack of private key, and you need a client certificate for an SSL connection, then check that (a) you have a private key associated with the certificate, and (b) the Windows account that needs to use the certificate to connect out via SSL has access to the private key. You can check both things in the MMC snap-in on the Windows system.

Don't copy either private key (client or server) in either direction.