Configuring Tomcat for SSL when the private key already exists

by

Astonishingly, JDK‘s keytool includes the ability to generate a private key, but not the ability to [directly] import one. A workaround is to use OpenSSL‘s PKCS12 tool to create a PKCS12 “keystore” for keytool to import:


openssl pkcs12 -export -passout pass:password -in example.com.crt -inkey example.com.key -out example.com.pkcs12 -name example.com -CAfile ca_chain.crt -caname root

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore example.com.keystore -srckeystore example.com.pkcs12 -srcstoretype PKCS12 -srcstorepass password -alias example.com

rm example.com.pkcs12

keytool -import -alias ca_chain -keystore example.com.keystore -storepass password -trustcacerts -file ca_chain.crt

This requires:

  • example.com.key to contain the private key
  • example.com.crt to contain the certificate
  • ca_chain.crt to contain the CA’s certificate chain

This produces:

  • example.com.keystore

The latter can be used in Tomcat‘s server.xml as:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="example.com.keystore" keystorePass="password" keyAlias="example.com"/>

The issues dealt with along the way included:

java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.

because I had not specified keyAlias (I think) and:

java.io.IOException: Alias name example.com does not identify a key entry

because I had the no private key in the keystore, despite having the relevant certificate.

(thanks) (thanks)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: