We are evaluating to use JBoss WS-Security with PKI to publish a web service in an organization A. This web service will be consumed by others organizations. As we are planning to use PKI we are assuming that:
i) organization A has its own keystore (including own private key and certificates of each consuming's ws organizations) residing in its box
ii) each consuming's ws organizations has its own keystore (including its own private key and certificate and also certificate of organizarion A)

Questions:
1.- If we deploy the Web Service client jar in the same box where the Web Service was deployed (in organization A environment), how the Web Service client can use the private key to sign the message if the keystore resides in each consuming's ws organizations to avoid expose its private key?
2.- Does each consuming's ws organizations need to have a minimal JBoss instance where the WS client would be deployed? We arrive at this conclusion because if we don't do that each consuming's ws organizations would have to expose these own private keys to organization A. If there is another way, please tell me how

If I'm not clear enough, please let me know.
Thank in advance...