SSL Client Auth

Planned Changes to Trust Manager in ReadyAPI 3.63.0 and 3.64.0

We plan to release improvements to the Trust Manager in ReadyAPI 3.63.0 and 3.64.0. These updates introduce more granular controls for handling self-signed certificates.

ReadyAPI will require you to specify and whitelist trusted certificates. This reduces the risk of man-in-the-middle attacks and preserves Transport Layer Security (TLS) protections.

Starting in ReadyAPI 3.63.0, a new interface lets you view, add, and whitelist SSL certificates. Certificates that previously triggered errors also appear in this view.

RAPI_Screenshot_Trust_Store.png

These changes redefine how ReadyAPI manages trust and SSL certificates. Currently, ReadyAPI does not validate certificates for HTTPS calls. Starting from ReadyAPI 3.63.0, you can configure ReadyAPI to detect untrusted certificates and enforce whitelisting for certificates that previously encountered errors.

A new Trust Store section under SSL in Global Preferences will display a list of untrusted certificates that ReadyAPI encountered. When you select any certificate, the certificate details will display in a pop-up window.

Selecting one or more certificates and choosing Whitelist adds them to .cacerts in the .readyapi directory. Uploading a certificate file directly also adds it to .cacerts in the .readyapi directory.

On startup, ReadyAPI checks for .cacerts in the .readyapi folder. If no file exists, ReadyAPI creates a copy from the bundled Java .cacerts. A unified mechanism now links the Trust Manager to the .cacerts file in .readyapi.

This feature will be available but off by default in ReadyAPI 3.63.0 and enabled by default in ReadyAPI 3.64.0. This notice provides time to test the feature in 3.63.0 and prepare for its default activation in ReadyAPI 3.64.0.

ReadyAPI can use SSL client certificates to secure your connection to the server.

About client certificate authentication

When setting up an HTTPS connection, your client requests a certificate from the server to establish the server's identity. This creates a secure connection, but the server does not know who the client is. To make sure the client who can access the secure server is qualified, you use client certificate authentication.

When you use client authentication, the client sends its SSL certificate after it verifies the server identity. Then, the client and server use both certificates to generate a unique key used to sign requests sent between them.

ReadyAPI can use your certificates to secure the interactions with the server.

Requirements

  • ReadyAPI supports JKS (.jks), JCEKS (.jceks), and PKCS12 (.p12, .pfx) keystores.

  • The certificate file you use must contain the entire certificate chain, including the root certificate. Otherwise, the server may fail to verify the client identity.

  • Use a valid certificate that a server can trust. The certificate must have a digital signature from the authority trusted by the server, a valid expiration date, and should not be revoked.

Using client certificates

For all requests

  1. Open the ReadyAPI Preferences dialog:

    API testing: Opening ReadyAPI settings

  2. Switch to the SSL page. On this page, specify the KeyStore that contains the client certificate and the KeyStore password.

    If you use Windows, you can also use certificates located in the Windows Personal Certificate Store. For this, enable the Certificate Store option.

    API testing over SSL: Set up certificate for all requests

For a specific request

  1. Select an element in the APIs node in the Navigator panel and click Auth & Security > WSS Config on the toolbar:

    Configure SSL for a request: WSS Config button

    This will open the WS-Security configuration dialog.

  2. In the dialog, switch to the Keystores tab and click add.png :

    API testing over SSL: Keystores tab

  3. Select the keystore file and specify the password. If the keystore is imported successfully, the Status column will display OK:

    API testing over SSL: Configured keystore

    Close the WS-Security Configuration dialog.

  4. Select the request you want to apply the certificate to (you can select the request in the Navigator panel in Projects or select the request test step in ReadyAPI Test). Use the drop-down list in the SSL Keystore property to select the keystore:

    API testing over SSL: Keystore applied to the request

Tip

Request properties depend on the environment you use. When working with multiple servers that require different certificates, set up environments to quickly switch the certificate used.

See Also

In this section:
© 2025
Publication date: