vicker313 tech blog

September 12, 2013

Transfer SSL Certificate from Tomcat to Apache

Filed under: Apache, Tomcat — Tags: , , — vicker313 @ 11:27 pm

After Setup Tomcat with Apache Web Server in Linux, you might want to transfer the SSL certificate from Apache Tomcat Server to Apache Web Server.

  1. Convert Tomcat SSL Certificate to Apache Web Server SSL Certificate:
    • keytool -importkeystore -scrkeystore [tomcat key file] -destkeystore [new p12 key file] -srcstoretype jks -deststoretype pkcs12
    • openssl pkcs12 -in [new p12 key file] -out [new pem file]
    • openssl x509 -text -in [new pem file]
    • (command above will show some text, copy the certificate portion and paste to a new certificate file)
  2. [Optional] Convert the certificate to run without password
    • openssl rsa -in [new pem file] -out [no password pem file]
    • openssl x509 -text -in [no password pem file]
    • (same as step 1, copy the certificate portion and paste to a new certificate file)
  3. Edit httpd.conf:
    • uncomment “Inlucde conf/extra/httpd-ssl.conf”
    • enable mod_ssl
    • enable mod_socache_shmcb
  4. Edit httpd-ssl.conf:
    • SSLCertificateFile [certificate file location]
    • SSLCertificateKeyFile [pem file location]
    • add JkMount /[SSL Web] balancer

December 23, 2010

Setup SSL Certificate at Tomcat

Filed under: Server, Tomcat — Tags: , , — vicker313 @ 9:12 am

The method here is to implement CA certified SSL certificate in Tomcat Service.

  1. Generate a key store file using keytool utility (installed together with JDK). It will ask for a password to generate the key store file.
    keytool -genkey -alias <any alias name> -keyalg RSA -keystore <output file>
    For example:
    keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key
  2. Generate a certificate request file.
    keytool -certreq -keyalg RSA -alias <alias> -file <output file> -keystore <keystore file>
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.key
  3. Then submit the certificate request to your CA. Normally you just need to submit the content of the request file.
  4. As a result you will get the content of the certificate. Copy the content and save it as a certificate file (for example tomcat.cer)
  5. For some CA (like Thawte), you need to download the CA trusted certificate from the their website in order to complete the implementation (EV_Root.cer and EV_intermediate.cer)
  6. Finally import the certificates using command below:
    keytool -import -alias <alias name> -keystore <keystore file> -trustcacerts -file <certificate>
    For example:
    keytool -import -alias EV_Root -keystore online.key -trustcacerts -file EV_Root.cer
    keytool -import -alias EV_intermediate -keystore online.key -trustcacerts -file EV_intermediate.cer
    keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file tomcat.cer

Some references to retrieve private key from the key store that you generate.

Blog at