Thanks again, Jason. I tried this for encryption (and your suggested additions to support signing by updating both truststores so that they contain both public keys) and it worked. I think I now have a little better understanding of the role of the truststore in this scheme. For those of you following along at home (or at work), when Bob sends a message he uses Alice's key to encrypt the message but his key to sign it, so the config section of jboss-wsse-xxx.xml file looks like: <config> | <sign type="x509v3" alias="bobs_key"/> | <encrypt type="x509v3" alias="alices_key"/> | <requires> | <signature /> | <encryption/> | </requires> | </config> Of course, on Alice's machine, the aliases are the opposite. If you don't want to sign the messages, remove the < sign > and < signature/ > tags. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4032911#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...