This document may be helpful if you need to convert an existing Apache Httpd SSL certificate to the Java Key-Store (JKS) format used by default in Apache Tomcat. This example is specific to trusted certificates issued by GoDaddy, but the process should be similar for most certificate authority issued server certificates. Example paths listed are typical for Ubuntu 12.04 LTS. You can use any paths that work for your system. A PKCS12 formatted file is created as an intermediate step to get the private key and trust chain in a format acceptable by the Java “keytool” utility.
Here is a typical apache httpd configuration snippet to show the location of certificates that need to be converted to JKS format for use by Tomcat.
SSLCertificateFile /etc/ssl/my_public_ssl.crt SSLCertificateKeyFile /etc/ssl/private/my_private.key SSLCertificateChainFile /etc/ssl/godaddy_bundle.crt
Here is a sample Bash script to do the conversion, the resulting JKS file should be usable directly by Tomcat.
#!/bin/bash set -o verbose # CHANGE THESE TO MATCH YOUR ENVIRONMENT AND NEEDS!! mykey=/etc/ssl/private/my_private.key mypublic=/etc/ssl/my_public_ssl.crt mychain=/etc/ssl/godaddy_bundle.crt keyalias=tomcat mypass=changeit myp12=/etc/ssl/for_tomcat.p12 myjks=/etc/ssl/for_tomcat.jks # To view public certificate contents (expiration date, issuer, etc.): # cat $mypublic | openssl x509 -text # -CAfile /ca/bundle/path *AND* -chain ... # ... *are REQUIRED for adding chain to cert* openssl pkcs12 -export -inkey $mykey -name $keyalias \ -in $mypublic -out $myp12 -password pass:$mypass \ -CAfile $mychain -chain # VERIFY p12 file with this openssl command ... openssl pkcs12 -in $myp12 -passin pass:$mypass \ -passout pass:$mypass \ | egrep -i 'friendlyName:|subject=|key attributes' keytool -importkeystore -deststorepass $mypass \ -destkeystore $myjks -srckeystore $myp12 \ -srcstoretype PKCS12 -srcstorepass $mypass keytool -list -v -keystore $myjks -storepass $mypass \ | egrep -i 'alias name|chain length|certificate\[|owner:' # VERIFY with keytool -list -v ... # ... -v (verbose) option REQUIRED to see chain certs in listing
Normally I find the documentation and support provided by the issuing Certificate Authority and web server software to be sufficient. In this case, the conversion was not an obvious match to the documentation provided and I wanted to save the steps used for later reference. Some search results were helpful, but none were exactly what I wanted here.