Menu Categories Author

Nubis Novem

IT consulting company with real cloud experience

Tomcat SSL in 2014 with certificate from existing static https website

What if you had an existing SSL certificate for your static website, say running Apache2 web server. What if you needed to re-use same certificate for a new dynamic Java-based website running Tomcat instance that you were just adding. That would include following steps:

1) With our Apache2 SSL site we had our private key, certificate and authority certificate files already in place on a Linux server:


# ls -l
total 20
-rw-r--r-- 1 root root 1288 Mar 15 00:21 certauth.crt
-rw-r--r-- 1 root root 1842 Mar 15 00:24 server.crt
-r-------- 1 root root 1751 Mar 14 21:15 private.key
#

2) For Tomcat we had to convert it to format that keytool would be able to import into their keystore:

# openssl pkcs12 -export -in server.crt -inkey private.key -out server.p12 -name tomcat -CAfile certauth.crt -caname root
Enter pass phrase for private.key:
Enter Export Password:
Verifying - Enter Export Password:
# ls -l
total 24
-rw-r--r-- 1 root root 1288 Mar 15 00:21 certauth.crt
-rw-r--r-- 1 root root 1842 Mar 15 00:24 server.crt
-r-------- 1 root root 1751 Mar 14 21:15 private.key
-rw-r--r-- 1 root root 2978 Mar 17 14:58 server.p12
#

3) Now you may import server.p12 into keystore for Tomcat instance using Java keytool utility:

keytool -importkeystore -deststorepass password1 -destkeypass password2 -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat

4) Verify contents of newly created keystore:

keytool -list -v -keystore server.keystore >server.list

5) Your server.keystore is ready to be used in Tomcat server.conf configuration file:

<Connector port="8443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="path/to/your/keystore" keystorePass="YourKeystorePassword" clientAuth="false" keyAlias="tomcat" sslProtocol="TLS"/>

Links for the subject: