Apache uses x509 pem/crt files which is is very different than a Tomcat system that uses keystores. You will follow these steps to copy, convert, and move the working Apache certificate to the Tomcat server.
Both Apache and Tomcat are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions.
We will start by assuming that you have already successfully installed the SSL certificate on the Apache web server.
Step 1: Finding/converting your SSL certificate and key file on Apache:
- Referencing the httpd.conf or ssl.conf file on the Apache system look for the location and directories of the three files necessary.
- SSLCertificateFile /usr/local/ssl/crt/public.crt
SSLCertificateFile tells Apache how to find the the SSL certificate file.
- SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCertificateKeyFile tells Apache how to find the private key file. - SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
SSLCertificateChainFile or SSLCACertificateFile tells Apache the location of the Intermediate file.
- SSLCertificateFile /usr/local/ssl/crt/public.crt
- Copy the three files located within these directories into one location.
- Using OpenSSL on the Apache system you will perform the following command line conversion.
Note: you will be prompted for a password.openssl pkcs12 -export -in public.crt -inkey private.key -out mycert.p12 -name tomcat -CAfile intermediate.crt -caname intermediate -chain
- The exported keystore will be ‘mycert.p12‘ and will be ready for you to migrate to the Tomcat server.
- Note: If you receive the following error: “Error unable to get issuer certificate getting chain” it means that you will have to append the Root certificate that correlates with your SSL Certificate product to the bottom of you intermediate.crt file.
To append the root certificate file perform the following:- Open Intermediate.crt with a plain text editor such as Notepad or Vi
- Copy the contents of the root certificate below: (including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines)
- Paste the copied contents directly beneath the —–END CERTIFICATE—– line of the bottom of the intermediate certificate
So your intermediate file should look like something like this..——BEGIN CERTIFICATE——
*Intermediate CA Chain *
——END CERTIFICATE——–
——BEGIN CERTIFICATE——
*Root CA cert *
——END CERTIFICATE—— - Save the file as Intermediate.crt
- Re-run the above OpenSSL command.
- Note: If you receive the following error: “Error unable to get issuer certificate getting chain” it means that you will have to append the Root certificate that correlates with your SSL Certificate product to the bottom of you intermediate.crt file.
Step 2: Configuring SSL in Tomcat with your keystore:
- On the Tomcat server search and open the Tomcat server.xml file.
- Open the server.xml config file using a text editor (ie. JAKARTA_HOME/conf/server.xml)
Search for the secure element in your config file (try searching for SSL Connector). By default it should look something like this:
- Change the following attributes to reference the location, name, and password of your keystore.
- keystoreFile=”c:\PATH TO mycert.p12”
- keystorePass=”password of mycert.p12”
- Add The following line under KeystorePass=
- keystoreType=”PKCS12″
- Save the changes.
- Stop and Start Tomcat.Your SSL Certificate/Keystore is now installed, and the website is now configured.
Note: PKCS12 keystore type is only supported with Tomcat JDK 1.5.x+
If unsuccessful you will have to convert your mycert.p12 file to a .jks file by performing the following command line in Tomcat using keytool.
keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore mycert.jks
If this fails and you cannot get Tomcat to use the Apache converted keystore you will need to generate a new keystore and CSR from the Tomcat System and reissue your certificate to be used on the Tomcat system.
Tomcat Support
For more information refer to Tomcat