sslsd-logo

How to move certificate from IIS to Tomcat

Windows servers use .pfx/.p12 (pkcs#12) files to contain the public key file (SSL Certificate) and its unique private key file.

The Certificate Authority (CA) provides you with your SSL Certificate (public key file). You use your server to generate the associated private key file where the CSR was created.

You need both the public key and private keys for an SSL certificate to work properly on any system. Windows uses the pfx/p12 file to contain these two keys; therefore, if you need to transfer your SSL certificate from one server to another or store it someplace for safe keeping you need to create a .pfx backup.

Depending on the type of Tomcat system you have you may have to perform a conversion of your .pfx keystore into a .jks keystore type to be recognized by Tomcat. Instructions on that conversion are in Step 3 – A.

To backup, export, and move a SSL certificate from Windows IIS to Tomcat  systems with its private key perform the following steps.

Step 1:  Create an MMC Snap-in for Managing Certificates on the IIS 7 system:

  1. Start > run > MMC.
    mmc
  2. Go into the Console Tab > File > Add/Remove Snap-in.
    mmc
  3. Click on Add > Click on Certificates and click on Add.
    mmc
  4. Choose Computer Account > Next.
    mmc export
  5. Choose Local Computer > Finish.
    mmc export
  6. Close the Add Standalone Snap-in window.
  7. Click on OK at the Add/Remove Snap-in window.

Step 2: Export/Backup certificate to .pfx file:

  1. In MMC Double click on Certificates (Local Computer) in the center window.
  2. Double click on the Personal folder, and then on Certificates.
  3. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
  4. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.
    mmc export
  5. Choose to ‘Yes, export the private key
    mmc export
  6. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)
    mmc export
  7. Enter a password you will remember.
  8. Choose to save file on a set location.
  9. Click Finish.
    mmc export
  10. You will receive a message “The export was successful.” > Click OK.
  11. The .pfx file backup is now saved in the location you selected and is ready to be moved or stored for your safe keeping.

Step 3: Preparing the Tomcat system:

Tomcat systems are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions. After moving you .pfx file to the tomcat server perform the following.

  1. On the Tomcat server search and open the Tomcat server.xml file.
  2. Open the server.xml config file using a text editor (ie. JAKARTA_HOME/conf/server.xml)
    Search for the secure element in your config file (try searching for SSL Connector).
  3. Your keystore file name and path is listed under KeystoreFile, and its Password is under keystorePass.
  4. By default it should look either one of the following A or B:
    • A: Standard Tomcat Systems server.xml using .jks keystores..

      Tomcat XML

      1. If your Server.xml file looks like the above then perform the following conversion using Keytool on the Tomcat system.
        Note: below the naming conversions are generalized. your names will differ.
      2. keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks -deststoretype JK
      3. After this conversion you will have a new .jks keystore that can be used to specify to the keystore file path and directory.
      4. Make sure to specify the correct “keystoreFile” directive to the new keystore and the “keystorePass” directive is referencing the correct keystore password.
        Note: These directives are case-sensitive! Make sure the letters “F” and “P” in “keystoreFile” and “keystorePass” are in uppercase.
        Note: If your keystore contains more than one private key alias, please add the “keyAlias” directive to reference the correct private key alias name. Usually only seen in some standard Tomcat systems that use .jks keystores.

        For Example:
        keystoreFile=”insert path to the keystore here”
        keystorePass=”insert keystore password here”
        keyAlias=”insert private key alias here”/>
    • B: Tomcat Systems server.xml able to use .pfx keystores..

      1. If your Server.xml file looks like the blow example then no need for a conversion your version of tomcat has the capability of using .pfx files.
        Tomcat pfx server.xml
      2. After you have figured out what type of keystore your server.xml file requires you are then ready to make the server.xml file point to your .pfx keystore.
      3. Make sure to specify the correct “keystoreFile” directive to the new keystore and the “keystorePass” directive is referencing the correct keystore password.
        Note: These directives are case-sensitive! Make sure the letters “F” and “P” in “keystoreFile” and “keystorePass” are in uppercase.

        For Example:
        keystoreFile=”insert path to the keystore here”
        keystorePass=”insert keystore password here”
  5. After you have updated your server.xml file…
  6. Save the changes.
  7. Stop and start Tomcat.

Your SSL/TLS certificate is now installed and configured for its website.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Tomcat Support:
For more information, please refer to Tomcat Support

Recent Posts

S/MIME for Outlook O365 Windows

Add to Favorites S/MIME Advantages of S/MIME Certificates S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates offer several advantages when it comes to securing email communications. Here

Read More »

Abbreviations

Add to Favorites There are literally thousands of IT abbreviations out there. Many are concerned with the technical aspects of the computer, while others deal

Read More »

SSL Installation on Qmail

Add to Favorites SSL Installation on Qmail Qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts.

Read More »