USING A PEM PRIVATE KEY AND SSL CERTIFICATE WITH TOMCAT

This is the craziest part as i have gone through almost a week for researching on this to enable SSL , tried .cer or .crt and at last able to make it with the below process ..... These are a reminder for me as to how I did things, but also they may be useful for others as documentation elsewhere is pretty lacking

In this post I will walk you through importing a PEM private key and CA issued SSL certificate into a Java key store so that it can be used with Tomcat. These instructions are for Windows users, but I’m sure something similar will work on UNIX  . To get started, you will need the following:

• Your PEM private key that you used to generate your CSR
• Your PEM SSL certificate issued by your CA
• Any intermediate CA certificates if required
• Tomcat
• Java 6 with keytool on your path
• openssl installed  you can download and unzip from www.openssl.org

        For your information all .cer and .crt files interchangable , if you have .crt or .cer can be used in the below commands. 

For the record, my CA was any CErtified site or your company certificates or etc and I required 2 intermediate certificates. However I’m reasonably confident these instructions will work with certificates issued by other CAs.

1: Exporting your private key and certificate to PKCS12

Your first task is to export your PEM private key and PEM CA issued certificate to a format that can be handled by the Java keystore. In this case I am going to convert them to PKCS12 format. This is recommended by the Tomcat 7 docs. To do this you will need the following:

openssl pkcs12 -export -in <your_CA_signed_PEM_cert> -inkey <your_PEM_private.key> -out <your_certificate_name>.p12 -name tomcat -chain -CAFile <your_root_CA_certificate>

You will be asked for a password at this point. Use something that you can remember as you’re going to need it in a minute.

In the above there are few important points:

• The “chain” option ensures that the full certificate chain for your certificate is included. This is a must if there are intermediary certificates to your root CA
• The “name” option must be tomcat. This is the alias that tomcat will use to search in the keystore to identify the certificate is should present to clients
• The “CAFile” option allows the chain option to work correctly. If you have intermediary certificates before your root CA, then this should be a bundle of all those certificates. Your CA should provide this. GoDaddy certainly did. If there are not intermediary certificates, then this is the root certificate for your CA.

2: Importing your new PKCS12 certificate and key bundle into a Java keystore

Java keystores are just a flat file in a particular format. This makes it super easy to create new ones. What we need to do now is take the PKCS12 key and certificate bundle we just exported and create a brand new keystore from it. This is where we need the Java keytool command. 

keytool -importkeystore -deststorepass <a_password_for_your_java_keystore> -destkeypass <a_password_for_the_key_in_the_keystore>-destkeystore tomcat.keystore -srckeystore <exported_private_key_and_cert.p12> -srcstoretype PKCS12 -srcstorepass <the_password_I_told_you_to_remember> -alias tomcat

Once this completes, you should see a file called “tomcat.keystore” in the same directory from where you issued the command. This is your brand new Java keystore with the PKCS12 version of your PEM private key and certificate in it.

3: Importing intermediate keys into the keystore if required

If like me your CA has intermediate certificates, now is the time to import them into the new keystore we just created. It is highly likely that your CA will provide instructions on how to do this and how the certificates should be named. In my case I need to import a few from GoDaddy or your Server Certificates. Just to give you an example, I needed the following:

keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file MRS_cross_intermediate.cer

and

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file MRS_intermediate.cer

IF you have multiple certificates you may install similer way as above. 

You *may* also need to import the root CA certificate into the keystore. You shouldn’t have to as most systems these days come with a pre-configured store of well known root CA certificates. You can give it a try and if the system already knows about it, keytool will ask you if you really want to import it.

4: Move the keystore to a known location

Next you just need to move the keystore to a known location and ensure that the process under which Tomcat will be running has access to it. I created a directory called /usr/local/keystore and stored my keystore in there.

5: Configure Tomcat to use your new keystore

Next we need to configure Tomcat to use your new keystore. Go to the ~conf directory of your Tomcat installation. Open server.xml for editing. Find the SSL connector and ensure that it is enabled. In addition make sure the configuration looks something like the following:

<Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="path_to_your_keystore_file" keystorePass="the_password_you_created_for_your_keystore" clientAuth="false" sslProtocol="TLS"/>

This will enable SSL on port 8443. If you need 443 instead, change the port number accordingly.

6. Test

Boot Tomcat and then go to <your_hostname>:8443. If you have done everything correctly the padlock symbol should now show in the browser. You can inspect your SSL certificate using any of the browser built-in tools.