Configuring Tomcat for SSL when the private key already exists


Astonishingly, JDK‘s keytool includes the ability to generate a private key, but not the ability to [directly] import one. A workaround is to use OpenSSL‘s PKCS12 tool to create a PKCS12 “keystore” for keytool to import:

openssl pkcs12 -export -passout pass:password -in -inkey -out -name -CAfile ca_chain.crt -caname root

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore -srckeystore -srcstoretype PKCS12 -srcstorepass password -alias


keytool -import -alias ca_chain -keystore -storepass password -trustcacerts -file ca_chain.crt

This requires:

  • to contain the private key
  • to contain the certificate
  • ca_chain.crt to contain the CA’s certificate chain

This produces:


The latter can be used in Tomcat‘s server.xml as:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="" keystorePass="password" keyAlias=""/>

The issues dealt with along the way included: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.

because I had not specified keyAlias (I think) and: Alias name does not identify a key entry

because I had the no private key in the keystore, despite having the relevant certificate.

(thanks) (thanks)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: