Convert Apache Httpd SSL Certificate for Tomcat

This document may be helpful if you need to convert an existing Apache Httpd SSL certificate to the Java Key-Store (JKS) format used by default in Apache Tomcat. This example is specific to trusted certificates issued by GoDaddy, but the process should be similar for most certificate authority issued server certificates. Example paths listed are typical for Ubuntu 12.04 LTS. You can use any paths that work for your system. A PKCS12 formatted file is created as an intermediate step to get the private key and trust chain in a format acceptable by the Java “keytool” utility.

Here is a typical apache httpd configuration snippet to show the location of certificates that need to be converted to JKS format for use by Tomcat.

SSLCertificateFile /etc/ssl/my_public_ssl.crt
SSLCertificateKeyFile /etc/ssl/private/my_private.key
SSLCertificateChainFile /etc/ssl/godaddy_bundle.crt

Here is a sample Bash script to do the conversion, the resulting JKS file should be usable directly by Tomcat.

#!/bin/bash
set -o verbose

# CHANGE THESE TO MATCH YOUR ENVIRONMENT AND NEEDS!!
mykey=/etc/ssl/private/my_private.key
mypublic=/etc/ssl/my_public_ssl.crt
mychain=/etc/ssl/godaddy_bundle.crt
keyalias=tomcat
mypass=changeit
myp12=/etc/ssl/for_tomcat.p12
myjks=/etc/ssl/for_tomcat.jks

# To view public certificate contents (expiration date, issuer, etc.): 
#   cat $mypublic | openssl x509 -text 
# -CAfile /ca/bundle/path *AND* -chain ...
# ... *are REQUIRED for adding chain to cert*
openssl pkcs12 -export -inkey $mykey -name $keyalias \
 -in $mypublic -out $myp12 -password pass:$mypass \
 -CAfile $mychain -chain
# VERIFY p12 file with this openssl command ...
openssl pkcs12 -in $myp12 -passin pass:$mypass \
 -passout pass:$mypass \
 | egrep -i 'friendlyName:|subject=|key attributes'
keytool -importkeystore -deststorepass $mypass \
 -destkeystore $myjks -srckeystore $myp12 \
 -srcstoretype PKCS12 -srcstorepass $mypass
keytool -list -v -keystore $myjks -storepass $mypass \
 | egrep -i 'alias name|chain length|certificate\[|owner:'
# VERIFY with keytool -list -v ...
# ... -v (verbose) option REQUIRED to see chain certs in listing

Normally I find the documentation and support provided by the issuing Certificate Authority and web server software to be sufficient. In this case, the conversion was not an obvious match to the documentation provided and I wanted to save the steps used for later reference. Some search results were helpful, but none were exactly what I wanted here.

Advertisements

About notesbytom

Keeping technology notes on WordPress.com to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in Linux, System Administration and tagged , , , , , , . Bookmark the permalink.

2 Responses to Convert Apache Httpd SSL Certificate for Tomcat

  1. PatrickM says:

    As I struggled to make a usable JKS keystore using Verisign/Digicert certificates, I thought I might share the process:

    1) Download p7b bundle from CA account manager
    2) Run the following command to convert p7b to a PEM (text) format:

    openssl pkcs7 -in my_domain_name.p7b -out my_domain_name.pem -print_certs

    3) In the script above, replace the “mychain” variable by the path to the newly generated PEM file
    4) Change keyalias variable to the alias you used while creating the CSR for the original certificate (usually my.domain.com)

    Enjoy !

  2. Pingback: Convert Windows IIS SSL Certificate to Tomcat Java Format | Notes by Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s