Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

import signed certificate into tomcat

 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am able to configure an SSL connection on tomcat using a self-signed certificate, but I am not sure how to use a certificate that we have purchased from Verisign. I am assuming the first thing I need to do is get the certificate from our Network Admin...but he doesn't know how to get it or what type of file it is. So my questions are:

What type of file should I be looking for (extension)?

Once I have this file, how do I convert it into the keystore file that tomcat recognizes?

Thanks,
Jim
 
Gareth Western
Ranch Hand
Posts: 45
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Disclaimer: I'm fairly new to SSL to I do not guarantee my answers are 100% accurate ;-)

I think the extensions of the files for your Verisign certificate will be something like .crt, .key, and .pem

By default a standalone Tomcat installation (with the SSL connector in the server.xml) uses the JSSE Keystore, so you'll need to import your Verisign certificate into this keystore.

Here's a link to an article with various conversion tips
 
James Ellis
Ranch Hand
Posts: 205
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here are a couple possible solutions I found over the last few days:

Solution A - Use a pkcs12 file
1) Get the certificate (with a .pfx extension) from the network admin.
2) Follow steps to convert the keystore from a .pfx to a pkcs12 file (.p12 extenstion) listed in http://www.jguru.com/faq/view.jsp?EID=532461
You will use the .p12 file INSTEAD of the keystore.

Solution B - Create the certificate yourself
1) Create the keystore using the keytool command.
2) Follow the steps listed in http://mark.foster.cc/kb/openssl-keytool.html to convert the keystore file to a .pfx file.
3) Get the .pfx file signed (not sure if this would cost extra money if you've already paid for a certificate)
4) Give the .pfx file to the network admin and have them replace the existing certificate

I could be wrong here...but from what I found there really is no way to import a certificate into the keystore that was not originally a created by the keytool. The reason for this is that the keystore is simply a file that contains a public and private key. When you do an import the only thing that is imported is the public key...NOT the private key. So, unless you are importing a signed version of the exact same public key that corresponds to the private key - the two won't match.

So basically if you are going to import into the keystore, it better be the same certificate that you generated using keytool and that you exported - just stamped with verisign's or thawte's approval.

Hope this helps.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic