How to convert your SSL certificates to be used by Tomcat instead of Apache

I have a wildcard certificate that needs to be used on multiple websites that my employer owns.

To be able to use that SSL certificate on Tomcat, it has to be used in a totally different format, that’s Java-specific.

That article has everything that you may need:

1. Get x509 certificates from Apache/Nginx

You will need three certificates Private Key certificate used for generating CSR, Signed Certificate  provided by signing authority and Intermediate or Root certificate of signing authority.

For Apache:

Check your site’s configuration for below settings:

SSLCertificateFile /etc/apache2/ssl/star_livfame_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/star_livfame_com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

For Nginx:

Check your site’s configuration for below settings:

ssl_certificate /etc/nginx/ssl/star_livfame_com.crt;
ssl_trusted_certificate /etc/nginx/ssl/intermediate.crt;
ssl_certificate_key /etc/nginx/ssl/star_livfame_com.key;

2. Copy the three files which can be found in the above to one location
(Ex. /opt/tomcat/ssl).

3. Using below OpenSSL command generate pkcs12 file:

cd /opt/tomcate/ssl
openssl pkcs12 -export -in star_livfame_com.crt -inkey star_livfame_com.key -certfile intermediate.crt -out star_livfame_com.p12

Note: You will be prompted for a password to secure the certificate, please enter the password and remember the password.

4. Convert pkcs12 certificate to keystore:

You will now convert our star_livfame_com.p12 file to a keystore by performing the following command line in Tomcat using keytool:

keytool -importkeystore -srckeystore star_livfame_com.p12 -srcstoretype PKCS12 -destkeystore star_livfame_com.jks

Note: It will ask for password of the pkscs12 that we generated earlier and a new password for the keystore, remember the password that you have given for keystore you will need it in configuration.

That’s it !! Your keystore is generated and ready to be used at: /opt/tomcat/ssl/star_livfame_com.jks.

5. Test the Keystore

You can test your keystore if its generated properly with below command:

$keytool -list -v -keystore star_livfame_com.jks

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 29 Apr, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Owner: CN=*, OU=Media - Technology, O=Fame Digital Pvt. Ltd., L=Mumbai, ST=Maharashtra, C=IN
Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US


About SoCRaT

Systems Engineer, OSS & Linux Geek
This entry was posted in Linux, Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s