A run-in with Tomcat SSL and Java keytool

I recently had the pleasure of setting up a Jasig CAS server on campus. The install went without a hitch. I initially brought it online with a self signed certificate, which was a no brainer as the Tomcat docs are great.

Once we got our SSL certificate though, I realised that the private key and keystore I had initially generated for the self signed certificate wasn’t used for the the Certificate Signing Request that the sysadmin’s had sent away to the Certificate Authority. So I had a private key for the SSL certificate but the one in the keystore was different. Problem 1. And it’s not possible to import a private key into a keystore using keytool because it doesn’t have this ability. Problem 2.

Thankfully, this is fixed in Java 6: keytool can now import a PKCS12 file into a keystore. But first you need to get your certificate and private key into that format. You can use OpenSSL for this:

openssl pkcs12 -inkey /path/to/private/key -in /path/to/certificate -export -out bundle.p12

Now we have a file called bundle.p12 which we will import into our keystore via keytool:

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /path/to/keystore -srckeystore /path/to/bundle.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias 1

The alias 1 is required to tell keytool to import the first certificate in the PKCS12 file.

Finally the Tomcat config:

<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS”
keystoreFile=”/path/to/keystore” keystorePass=”changeit” />


One thought on “A run-in with Tomcat SSL and Java keytool

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s