What if you had an existing SSL certificate for your static website, say running Apache2 web server. What if you needed to re-use same certificate for a new dynamic Java-based website running Tomcat instance that you were just adding. That would include following steps:
1) With our Apache2 SSL site we had our private key, certificate and authority certificate files already in place on a Linux server:
# ls -l
total 20
-rw-r--r-- 1 root root 1288 Mar 15 00:21 certauth.crt
-rw-r--r-- 1 root root 1842 Mar 15 00:24 server.crt
-r-------- 1 root root 1751 Mar 14 21:15 private.key
#
2) For Tomcat we had to convert it to format that keytool would be able to import into their keystore:
# openssl pkcs12 -export -in server.crt -inkey private.key -out server.p12 -name tomcat -CAfile certauth.crt -caname root
Enter pass phrase for private.key:
Enter Export Password:
Verifying - Enter Export Password:
# ls -l
total 24
-rw-r--r-- 1 root root 1288 Mar 15 00:21 certauth.crt
-rw-r--r-- 1 root root 1842 Mar 15 00:24 server.crt
-r-------- 1 root root 1751 Mar 14 21:15 private.key
-rw-r--r-- 1 root root 2978 Mar 17 14:58 server.p12
#
3) Now you may import server.p12 into keystore for Tomcat instance using Java keytool utility:
keytool -importkeystore -deststorepass password1 -destkeypass password2 -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat
4) Verify contents of newly created keystore:
keytool -list -v -keystore server.keystore >server.list
5) Your server.keystore is ready to be used in Tomcat server.conf configuration file:
<Connector port="8443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="path/to/your/keystore" keystorePass="YourKeystorePassword" clientAuth="false" keyAlias="tomcat" sslProtocol="TLS"/>
Links for the subject: