Ask a Question

Advanced Search

Solution ID : SO17070

Last Modified : 05/02/2018

How to move an SSL certificate from Apache to Tomcat

Problem

Export certificate from Apache

Import certificate into Tomcat

Export certificate from Apache to Tomcat

Solution

To move a certificate from Apache to Tomcat please do the following:

Step 1: Convert the public and private key pair from Apache to a keystore file

Switch the Certificate from Apache format to Tomcat 5.x format by issuing the following command using OpenSSL:
 
openssl pkcs12 -export -in YourRapidSSLCert.crt -inkey YourPrivateKey.key -out mycert.p12 -name tomcat -CAfile YourIntermediateCertificate.cer -caname root -chain
 
where:

  • YourIntermediateCertificate.cer is the RapidSSL Intermediate CA available for download here: AR1548
  • YourRapidSSLCert.crt is your current openssl certificate
  • YourPrivateKey.key is your current private key
  • mycert.p12 is the name of the exported keystore file

Note: If you receive the following error: "Error unable to get issuer certificate getting chain", please append the GeoTrust Global CA Root certificate to the bottom of the YourIntermediateCertificate.cer file. The Root CA is available here: SO21009

To append the root certificate file:

  1. Open YourIntermediateCertificate.cer with a plain text editor such as Notepad or Vi
  2. Copy the contents of the root certificate below: (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines)
    -----BEGIN CERTIFICATE-----
    MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
    EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
    R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
    9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
    fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
    iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
    1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
    bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
    MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
    ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
    uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
    Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
    tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
    PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
    hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
    5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
    -----END CERTIFICATE-----
    
    
  3. Paste the copied contents directly beneath the -----END CERTIFICATE----- line of the bottom of the intermediate certificate
  4. Save the file as YourIntermediateCertificate.cer
  5. Re-run the above OpenSSL command.

Step 2: Configure the Tomcat Server to use the keystore file

  1. Open %TOMCAT_HOME/conf/server.xml in XML or text editor
  2. Uncomment the SSL Connector if it is not uncommented already
  3. Add the following attributes:

    keystoreFile="c:\PATH_TO_mycert.p12" keystorePass="PASSWORD HERE"
    keystoreType="PKCS12"

     
  4. Restart Tomcat.
  5. Point the browser to https://localhost:8443. If it doesn’t load look in the log files to identify the problem.
    Note: PKCS12 keystore type is only supported with JDK 1.5.x+

 

If you are still unable to convert the Apache key pair to a Tomcat keystore file, you will need to generate a new key and CSR for Tomcat.  Please see the instructions in the following solution:  SO13990.  Once you have the new CSR file, please follow these instructions to reissue your certificate for Tomcat compatibility:  SO5757