Ask a Question

Advanced Search

Solution ID : SO17598

Last Modified : 05/02/2018

How to move an SSL certificate from Tomcat to Apache


How to move an SSL certificate from Tomcat to Apache


Note: Keytool and OpenSSL are third party tools which are not supported by Thawte

Step 1: Use keytool to convert the keystore to a p12 file

keytool -importkeystore -srckeystore [originalkeystore] -destkeystore [new_keystore_mystore.p12] -deststoretype PKCS12 -srcstorepass [keystore_password] -deststorepass [new_password] -srcalias [original_alias] -destalias [new_alias] -srckeypass [original_alias_password] -destkeypass [new_password] -noprompt

The output file is [new_keystore_mystore.p12]

  1. Use OpenSSL to extract the private key:
    openssl.exe pkcs12 -in new_keystore_mystore.p12 -nocerts -out privatekey.pem

  2. Use OpenSSL to extract the certificate:
    openssl.exe pkcs12 -in new_keystore_mystore.p12 -clcerts -nokeys -out publicCert.pem


Save the two files (privatekey.pem and publicCert.pem) to the Apache server

Step 2: Import files into the Apache server:

      1. Download the intermediate certificate. Thawte Intermediate CA certificates can be found here: INFO1384

      2. Using a plain text editor, save the Intermediate CA certificate as intermediate.crt, to the appropriate folder.

For example: /etc/apache2/ssl.crt/intermediate.crt
The text file should look like the example below:

[encoded data]

Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been added.
      3. Open the httpd.conf file using a plain text editor and update the directives so they point to the location where the 3 files were saved:

Make sure the Virtual host looks similar to the example below:

<VirtualHost x.x.x.x:443>
SSLCertificateFile /Path to the file.../publicCert.pem
SSLCertificateKeyFile /Path to the file.../privatekey.pem
SSLCACertificateFile /Path to the file.../intermediate.crt

Note: Depending on the version of Apache, the directive SSLCACertificateFile may be SSLCertificateChainFile

      4. Restart Apache


The latest version of the JDK can be downloaded here:

For more information concerning OpenSSL please visit: