Ask a Question

How to move a certificate from Apache to Tomcat


To move a certificate from Apache to Tomcat please do the following:

Step 1: Switch the certificate from Apache format to Tomcat format

The following OpenSSL command can be used to switch from X509 to PKCS12:
openssl pkcs12 -export -in /path/to/YourSymantecSSLCert.crt -inkey /path/to/YourPrivateKey.key -name tomcat -certfile /path/to/YourIntermediateCertificate.cer -out mycert.p12
YourIntermediateCertificate.crt is the Symantec Intermediate CA. The Intermediate CA is available for download here.

YourSymantecSSLCert.crt is your current SSL certificate.

YourPrivateKey.key is your current private key.
The exported keystore will be in mycert.p12.
Step 2: Point Tomcat to the new certificate

1.  Open %TOMCAT_HOME/conf/server.xml in XML or text editor.
2.  Uncomment the SSL Connector if it is not uncommented already.
3.  Add the following attributes:

keystoreFile=”c:\PATH TO CERT.p12” keystorePass=”PASSWORD HERE”

4.  Restart Tomcat.

Point the browser to https://localhost:8443. If it doesn’t load, check in the log files to identify the problem.

Note: PKCS12 keystore type is only supported with JDK 1.5.x+.

In order to verify the Keystore content in Tomcat, the following command can be used:

keytool -list -keystore mycert.p12 -storetype pkcs12 -v

If this fails and you cannot get Tomcat to use the Apache key and certificate, you will need to generate a new key and CSR for Tomcat and replace your certificate directly for the Tomcat software.