Using SSL Certificates with the Apache Tomcat Web Server

Free tools like openssl, keytool, and KeyStore Explorer can be used to transform common SSL certificate formats into archives that are compatible with web servers like Apache Tomcat.

Let’s see how to generate PKCS #12 and JKS archives.

Creating PKCS12 Files

PKCS #12 is a format for storing multiple cryptography objects in a single archive file. You can store arbitrarily complex objects within a PKCS #12 archive, but the most common use is to store a single private key and its certificate chain. Create a PKCS12 file from PEM files:

openssl pkcs12 -export -in ssl_cert.pem -inkey key.pem -certfile bundle.crt -name "*.example.com" -out example.com.p12

Depending on the product you’re working with, the documentation may call for a .pfx file instead of a .p12 file. PFX is an older format that was a predecessor to PKCS #12. In most modern systems, A PFX FILE AND A P12 FILE ARE EXACTLY THE SAME THING! You can just change the extension if needed and that will generally work. For example, the docs for ESET Security Management Center call for a pfx file, but a PKCS12 file will work just fine.

Certificate Troubleshooting

openssl can also extract a lot more information from certificate files. For example, for a PEM certificate:

openssl x509 -text -in ssl_cert.pem

Creating and Viewing Java Keystore Files

Create a JKS file from a PKCS12 file:

keytool -importkeystore -srckeystore _.hamlinandburton.com.p12 -srcstoretype PKCS12 -storetype PKCS12 -destkeystore test.hamlinandburton.com.jks

Many tutorials omit the flag -storetype PKCS12. This flag is important, because there are multiple types of .jks keystore archives. For example, a .jks file could have type JKS, PKCS #12, JCEKS, BKS-V1, BKS, UBER, or BCFKS. Some applications are very picky about which type they will accept. If you omit this flag, keytool will use the default type for the system that’s generating the keystore file. You may get lucky and it will work, or it may not (I’m looking at you, Code42 Authority Server).

View a keystore file:

keytool -list -v -keystore _.hamlinandburton.com.jks

Note the type at the top of the output text.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.