At work, I will from time to time work with APIs that uses the SOAP protocol. My favorite tool to either create a quick client or a mock server is the fenomenal SoapUI product. The UI is what it is, but it is a solid product. If HTTP is supported by the product I am currently implementing i client part for, there nothing else needed. Just configure the mockservice and start it. The times when HTTPS is really needed, I’ve usually been setting up a reverse proxy in IIS that performs SSL offloading towards the mockservice.

But this time I figured that I wanted to try it out again to do HTTPS natively in SoapUI, and quickly found official documentation on how to configure it to do this. I followed the examples and tried it out was unable to make it work. I installed openjdk in WSL (I figured that it was the easiest and quickest way) and followed this example in order to generate the keystore (which made it easier to change values as I was troubleshooting). In their example, at the time of this writing, they still use the port of the mockservice but with the protocol set to HTTPS. Confused, I found a community post with this important bit of information:

The SSL layer appears to be a man-in-the middle component running on the SSL port, so the request needs to come in on the SSL port e.g. 8443.

Being wiser, I aimed my client implementation towards the configured port in the Mock port setting. This time, I got an error stating that a secure connection was unable to be made due to the remote server certificate being valid. Unexperienced with certificate generation using the keytool, I looked at the certificate in the generated keystore using the list command. There I found my first mistake. I had chosen a dummy value instead of a suitable address in the CN entry. I remade the keystore and got a similar error, even though I now tried to access to the mockservice with a matching address to the CN entry value. The validity of the certificate was correct and I verified that my computer’s clock was within the timespan (it being correct should not be important, as the client and server parts were synced in time). Some headscratching later, I realized that Windows didn’t trust this certificate, as only existed locally in the keystore.

I exported the certificate from the keystore:

keytool -exportcert \
 -rfc \
 -alias example \
 -file cert.pem \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

I used openssl in WSL in order to convert the PEM file to cer:

openssl x509 -inform PEM -in cacert.pem -outform DER -out certificate.cer

I then imported the certicate to my user’s trusted root store. Rerunning the client implementation I had made, the certificate was now trusted and I was able to successfully make HTTPS calls towards my mockservice in SoapUI!