Convert Apache (x509 cert) SSL Certificate to Tomcat (Keystore)

02 / May / 2016 by Nitin Bhadauria 4 comments

When setting up SSL certificate for a website, we mainly use two types of SSL certificate one is x509 mostly used with applications support OpenSSL library and other is Keystore which is used with Java 1.6+ applications.

Image result for apache tomcat png

Apache/Nginx uses x509 pem/crt files which is is very different than a Jetty/Tomcat (Java 1.6+) system that uses keystores and differences start right from generating a Certificate Signing Request (CSR). So, you could either generate separate CSR request for both and get different SSL certificate which obviously involve cost or you could use following steps to convert the working x509 certificate to the keystore.

1. Get x509 certificates from Apache/Nginx

You will need three certificates Private Key certificate used for generating CSR, Signed Certificate  provided by signing authority and Intermediate or Root certificate of signing authority.

For Apache:

Check your site’s configuration for below settings:

SSLCertificateFile /etc/apache2/ssl/star_livfame_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/star_livfame_com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

For Nginx:

Check your site’s configuration for below settings:

ssl_certificate /etc/nginx/ssl/star_livfame_com.crt;
ssl_trusted_certificate /etc/nginx/ssl/intermediate.crt;
ssl_certificate_key /etc/nginx/ssl/star_livfame_com.key;

2. Copy the three files which can be found in the above to one location
(Ex. /opt/tomcat/ssl).

3. Using below OpenSSL command generate pkcs12 file:

cd /opt/tomcate/ssl
openssl pkcs12 -export -in star_livfame_com.crt -inkey star_livfame_com.key -certfile intermediate.crt -out star_livfame_com.p12

Note: You will be prompted for a password to secure the certificate, please enter the password and remember the password.

4. Convert pkcs12 certificate to keystore:

You will now convert our star_livfame_com.p12 file to a keystore by performing the following command line in Tomcat using keytool:

keytool -importkeystore -srckeystore star_livfame_com.p12 -srcstoretype PKCS12 -destkeystore star_livfame_com.jks

Note: It will ask for password of the pkscs12 that we generated earlier and a new password for the keystore, remember the password that you have given for keystore you will need it in configuration.

That’s it !! Your keystore is generated and ready to be used at: /opt/tomcat/ssl/star_livfame_com.jks.

5. Test the Keystore

You can test your keystore if its generated properly with below command:

$keytool -list -v -keystore star_livfame_com.jks

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 29 Apr, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Owner: CN=*, OU=Media - Technology, O=Fame Digital Pvt. Ltd., L=Mumbai, ST=Maharashtra, C=IN
Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US

Hope this blog helped you in converting Apache (x509 cert) SSL Certificate to Tomcat (Keystore). I will be continuing to post some more important related blogs.


comments (4)

  1. siva

    this post just saved me a lot of trouble. have been searching all over the web with no clarity and yours is the only one which worked smoothly in first go. thank you soo much.


Leave a Reply

Your email address will not be published. Required fields are marked *