I found the answer by myself. A custom inteceptor just needs to override the property:
message.put("security.encryption.username", userAlias); Then the wss4j interceptor uses the right certificate out of the keystore. -- View this message in context: http://cxf.547215.n5.nabble.com/Dynamic-encryption-user-name-tp5761404p5761405.html Sent from the cxf-user mailing list archive at Nabble.com.