I want to sign webservice requests using Apache CXF and WSS4J. As far as I know, I would need a JKS store containing the certificate I want to use for signing. There's the requirement to be able to use a X.509 certificate from the Windows certificate store. The certificate shall be read from the store at the time of signing the webservice request. I know how to access the store and get the certificate. But how can I use it for signing instead of the certificate from my own JKS store?

The KeyStore need not be a JKS one. You might write your own JCA Provider and implement KeyStoreSpi, and have it access the Windows certificate store.

Just found it's possible to achieve using MerlinDevice class. That's how its done:

1) Configuring properties for WSS4JOutInterceptor:

Map<String,Object> outProps = new HashMap<String,Object>();
outProps.put(WSHandlerConstants.ACTION, "Signature");
outProps.put(WSHandlerConstants.USER, "Friendly_name_of_your_certificate");
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, StupidCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE, "client_sign.properties");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);

2) The client_sign.properties file looks like this:

org.apache.ws.security.crypto.provider=org.apache.wss4j.common.crypto.MerlinDevice
keystore.provider=SunMSCAPI
cert.provider=SunMSCAPI
keystore.type=Windows-MY
truststore.type=Windows-ROOT

3) And StupidCallback just returns constant string as a password (its value doesn't really matter):

public class StupidCallback implements CallbackHandler
{
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
    {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        pc.setPassword("password");
    }
}

That's all.

Look at this that explains how to use the windows keystore. Then you have to configure CXF to use that keystore.