Meaningless Drivel is fun!
The moose likes Security and the fly likes import signed certificate into tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "import signed certificate into tomcat" Watch "import signed certificate into tomcat" New topic

import signed certificate into tomcat

James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
I am able to configure an SSL connection on tomcat using a self-signed certificate, but I am not sure how to use a certificate that we have purchased from Verisign. I am assuming the first thing I need to do is get the certificate from our Network Admin...but he doesn't know how to get it or what type of file it is. So my questions are:

What type of file should I be looking for (extension)?

Once I have this file, how do I convert it into the keystore file that tomcat recognizes?

Gareth Western
Ranch Hand

Joined: Apr 07, 2004
Posts: 45
Disclaimer: I'm fairly new to SSL to I do not guarantee my answers are 100% accurate ;-)

I think the extensions of the files for your Verisign certificate will be something like .crt, .key, and .pem

By default a standalone Tomcat installation (with the SSL connector in the server.xml) uses the JSSE Keystore, so you'll need to import your Verisign certificate into this keystore.

Here's a link to an article with various conversion tips
James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
Here are a couple possible solutions I found over the last few days:

Solution A - Use a pkcs12 file
1) Get the certificate (with a .pfx extension) from the network admin.
2) Follow steps to convert the keystore from a .pfx to a pkcs12 file (.p12 extenstion) listed in
You will use the .p12 file INSTEAD of the keystore.

Solution B - Create the certificate yourself
1) Create the keystore using the keytool command.
2) Follow the steps listed in to convert the keystore file to a .pfx file.
3) Get the .pfx file signed (not sure if this would cost extra money if you've already paid for a certificate)
4) Give the .pfx file to the network admin and have them replace the existing certificate

I could be wrong here...but from what I found there really is no way to import a certificate into the keystore that was not originally a created by the keytool. The reason for this is that the keystore is simply a file that contains a public and private key. When you do an import the only thing that is imported is the public key...NOT the private key. So, unless you are importing a signed version of the exact same public key that corresponds to the private key - the two won't match.

So basically if you are going to import into the keystore, it better be the same certificate that you generated using keytool and that you exported - just stamped with verisign's or thawte's approval.

Hope this helps.
I agree. Here's the link:
subject: import signed certificate into tomcat
It's not a secret anymore!