Tomcat HTTPS keystore certificate

Question

Ran into another problem using SSL and Tomcat: I\'ve configured a keystore which contains a key and a certificate (the server certificate I wish to present to the clients co

Answer 1

The problem is (apparently - I can not really confirm this) that it's impossible to properly import a previously generated certificate (and matching key) into a JKS keystore and have it presented properly by Tomcat.

The situation in which my problem occurred is as follows:

1. I have a certificate file, which I generated myself using OpenSSL from scratch (key + CSR -> certificate), signed by my own CA.
2. I wish to configure Tomcat so that it presents this particular certificate to the users connecting to my site.

The solution I found to work is:

1. Convert the existing certificate and its private key to the DER format. For example (using OpenSSL):

   For the private key;

   openssl pkcs8 -topk8 -nocrypt -in my_private_key.key -inform PEM -out my_private_key.der -outform DER

   For the actual signed certificate;

   openssl x509 -in my_certificate.crt -inform PEM -out my_certificate.der -outform DER

2. Import both DER files into a keystore (JKS file) using a custom Java class.

   java ImportKey my_private_key.der my_certificate.der

   I did not figure this out myself (all credit goes to the original inventor(s)).The source for this Java class, and some more details can be found here and here. I modified this class slightly so that there is a 3rd (or 4th) parameter that specifies the output location of the resulting JKS file.

The end result is a JKS keystore which can then be used in the Tomcat Connector configuration as the keystore. The above tool will generate the JKS file with default passwords for the key and JKS file itself, these can be changed later using keytool -storepasswd and keytool -keypasswd. Hope this helps for people facing the same issue.