Jul. 23rd, 2014

How to Set Your JMeter Load Test to Use Client Side Certificates

Need to use certificates to provide HTTPS request for your load test?  You have two options:


1. Use a server-side client certificate

This requires the least amount of work. You use the server to encrypt and decrypt the data. However, occasionally the web application requires a client-side certificate due to security policies.


2. Use a client-side certificate

Client-side certificates are sometimes required because they are the best way for a server to "know" exactly who is connecting. One of the most common examples we see of this today is within large IT enterprises. Internal users must install and present a certificate when communicating with the server in order to receive authorization to log into the enterprise’s IT system. Fortunately, we can use JMeter to simulate this form of secure communication.


Using JMeter to Run Load Tests that Require Client Side Certificates


JMeter supports client-side JKS and PKCS12 certificates ‘out-of-the-box’. It does this by using the SSL Manager to select the certificate when running in GUI mode. To use the PKCS12 certificate, make sure that the extension of the file is .p12 (e.g : mykeystore.p12). The other extension will be treated as a JKS (Java KeyStore) certificate.


If you want to run your script using BlazeMeter (JMeter in non-GUI), take the following steps to allow your script to run with your client-side certificate:


1. Create a Java KeyStore file (e.g. mykeystore.jks).

If you have a PKCS12 file, use the following command line to convert it to a JKS file:


keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12

-srcstorepass <certificate_password> -keystore <keystore_filename>

-storepass <stored_password>


2. Go to your JMeter directory and open your system.properties file.

There, uncomment the following lines, and change the file to match your values:





You can also use the -D option to pass these values straight from the command line.

For example:

-D javax.net.ssl.keyStore=your_JKS_filename.jks -D javax.net.ssl.keyStorePassword=yourJKSpassword


3. Change your HTTP sampler implementation to Java (instead of HC3.1 or HC4).

You should now be able to run your script successfully.


If you plan to use BlazeMeter, upload your JMX, JKS file (with no spaces) to your BlazeMeter test.

Then pass the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword values through the command line parameters.


Press save...and you’re ready to go!


4. Verify your script successfully created the KeyStore  load your JKS certificate into it.

To do this, view your JMeter log file (if you’re using BlazeMeter - click on the ‘Logs’ tab in your test report and select a log file)


You should see lines similar to these:


2013/12/12 13:13:49 INFO  - jmeter.util.SSLManager: JmeterKeyStore Location: mykeystore.jks type JKS

2013/12/12 13:13:49 INFO  - jmeter.util.SSLManager: KeyStore created OK

2013/12/12 13:13:49 INFO  - jmeter.util.SSLManager: Total of 1 aliases loaded OK from keystore


Learn more about load testing from these two free webinars:


Load Test Like a Pro


How to Create Advanced Load Testing Scenarios with JMeter


Need more info? If you have any additional questions or need support, drop me an email or ping BlazeMeter’s Twitter.


Interested in writing for our Blog? Send us a pitch!