When setting up SSL certificate for a website, we mainly use two types of SSL certificate one is x509 mostly used with applications support OpenSSL library and other is Keystore which is used with Java 1.6+ applications.
Apache/Nginx uses x509 pem/crt files which is is very different than a Jetty/Tomcat (Java 1.6+) system that uses keystores and differences start right from generating a Certificate Signing Request (CSR). So, you could either generate separate CSR request for both and get different SSL certificate which obviously involve cost or you could use following steps to convert the working x509 certificate to the keystore.
1. Get x509 certificates from Apache/Nginx
You will need three certificates Private Key certificate used for generating CSR, Signed Certificate provided by signing authority and Intermediate or Root certificate of signing authority.
For Apache:
Check your site’s configuration for below settings:
Check your site’s configuration for below settings:
(Ex. /opt/tomcat/ssl).
3. Using below OpenSSL command generate pkcs12 file:
Note: You will be prompted for a password to secure the certificate, please enter the password and remember the password.
4. Convert pkcs12 certificate to keystore:
You will now convert our 10tut_blogspot_com.p12 file to a keystore by performing the following command line in Tomcat using keytool:
Note: It will ask for password of the pkscs12 that we generated earlier and a new password for the keystore, remember the password that you have given for keystore you will need it in configuration.
That’s it !! Your keystore is generated and ready to be used at: /opt/tomcat/ssl/10tut_blogspot_com.jks.
5. Test the Keystore
You can test your keystore if its generated properly with below command:
$keytool -list -v -keystore 10tut_blogspot_com.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: 29 Apr, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=*.livfame.com, OU=Media - Technology, O=Fame Digital Pvt. Ltd., L=Mumbai, ST=Maharashtra, C=IN
Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US
.....
Hope this blog helped you in converting Apache (x509 cert) SSL Certificate to Tomcat (Keystore). I will be continuing to post some more important related blogs.
Read More
Apache/Nginx uses x509 pem/crt files which is is very different than a Jetty/Tomcat (Java 1.6+) system that uses keystores and differences start right from generating a Certificate Signing Request (CSR). So, you could either generate separate CSR request for both and get different SSL certificate which obviously involve cost or you could use following steps to convert the working x509 certificate to the keystore.
1. Get x509 certificates from Apache/Nginx
You will need three certificates Private Key certificate used for generating CSR, Signed Certificate provided by signing authority and Intermediate or Root certificate of signing authority.
For Apache:
Check your site’s configuration for below settings:
SSLCertificateFile /etc/apache2/ssl/10tut_blogspot_com.crtFor Nginx:
SSLCertificateKeyFile /etc/apache2/ssl/10tut_blogspot_com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
Check your site’s configuration for below settings:
ssl_certificate /etc/nginx/ssl/10tut_blogspot_com.crt;2. Copy the three files which can be found in the above to one location
ssl_trusted_certificate /etc/nginx/ssl/intermediate.crt;
ssl_certificate_key /etc/nginx/ssl/10tut_blogspot_com.key;
(Ex. /opt/tomcat/ssl).
3. Using below OpenSSL command generate pkcs12 file:
cd /opt/tomcate/ssl
openssl pkcs12 -export -in 10tut_blogspot_com.crt -inkey 10tut_blogspot_com.key -certfile intermediate.crt -out 10tut_blogspot_com.p12
Note: You will be prompted for a password to secure the certificate, please enter the password and remember the password.
4. Convert pkcs12 certificate to keystore:
You will now convert our 10tut_blogspot_com.p12 file to a keystore by performing the following command line in Tomcat using keytool:
keytool -importkeystore -srckeystore 10tut_blogspot_com.p12 -srcstoretype PKCS12 -destkeystore 10tut_blogspot_com.jks
Note: It will ask for password of the pkscs12 that we generated earlier and a new password for the keystore, remember the password that you have given for keystore you will need it in configuration.
That’s it !! Your keystore is generated and ready to be used at: /opt/tomcat/ssl/10tut_blogspot_com.jks.
5. Test the Keystore
You can test your keystore if its generated properly with below command:
$keytool -list -v -keystore 10tut_blogspot_com.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: 29 Apr, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=*.livfame.com, OU=Media - Technology, O=Fame Digital Pvt. Ltd., L=Mumbai, ST=Maharashtra, C=IN
Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US
.....
Hope this blog helped you in converting Apache (x509 cert) SSL Certificate to Tomcat (Keystore). I will be continuing to post some more important related blogs.
