I am able to configure an SSL connection on tomcat using a self-signed certificate, but I am not sure how to use a certificate that we have purchased from Verisign. I am assuming the first thing I need to do is get the certificate from our Network Admin...but he doesn't know how to get it or what type of file it is. So my questions are:
What type of file should I be looking for (extension)?
Once I have this file, how do I convert it into the keystore file that tomcat recognizes?
Here are a couple possible solutions I found over the last few days:
Solution A - Use a pkcs12 file 1) Get the certificate (with a .pfx extension) from the network admin. 2) Follow steps to convert the keystore from a .pfx to a pkcs12 file (.p12 extenstion) listed in http://www.jguru.com/faq/view.jsp?EID=532461 You will use the .p12 file INSTEAD of the keystore.
Solution B - Create the certificate yourself 1) Create the keystore using the keytool command. 2) Follow the steps listed in http://mark.foster.cc/kb/openssl-keytool.html to convert the keystore file to a .pfx file. 3) Get the .pfx file signed (not sure if this would cost extra money if you've already paid for a certificate) 4) Give the .pfx file to the network admin and have them replace the existing certificate
I could be wrong here...but from what I found there really is no way to import a certificate into the keystore that was not originally a created by the keytool. The reason for this is that the keystore is simply a file that contains a public and private key. When you do an import the only thing that is imported is the public key...NOT the private key. So, unless you are importing a signed version of the exact same public key that corresponds to the private key - the two won't match.
So basically if you are going to import into the keystore, it better be the same certificate that you generated using keytool and that you exported - just stamped with verisign's or thawte's approval.