I recently had the pleasure of setting up a Jasig CAS server on campus. The install went without a hitch. I initially brought it online with a self signed certificate, which was a no brainer as the Tomcat docs are great.
Once we got our SSL certificate though, I realised that the private key and keystore I had initially generated for the self signed certificate wasn’t used for the the Certificate Signing Request that the sysadmin’s had sent away to the Certificate Authority. So I had a private key for the SSL certificate but the one in the keystore was different. Problem 1. And it’s not possible to import a private key into a keystore using keytool because it doesn’t have this ability. Problem 2.
Thankfully, this is fixed in Java 6: keytool can now import a PKCS12 file into a keystore. But first you need to get your certificate and private key into that format. You can use OpenSSL for this:
openssl pkcs12 -inkey /path/to/private/key -in /path/to/certificate -export -out bundle.p12
Now we have a file called bundle.p12 which we will import into our keystore via keytool:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /path/to/keystore -srckeystore /path/to/bundle.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias 1
The alias 1 is required to tell keytool to import the first certificate in the PKCS12 file.
Finally the Tomcat config:
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
keystoreFile=”/path/to/keystore” keystorePass=”changeit” />