File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes import signed certificate into tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "import signed certificate into tomcat" Watch "import signed certificate into tomcat" New topic

import signed certificate into tomcat

James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
I am able to configure an SSL connection on tomcat using a self-signed certificate, but I am not sure how to use a certificate that we have purchased from Verisign. I am assuming the first thing I need to do is get the certificate from our Network Admin...but he doesn't know how to get it or what type of file it is. So my questions are:

What type of file should I be looking for (extension)?

Once I have this file, how do I convert it into the keystore file that tomcat recognizes?

Gareth Western
Ranch Hand

Joined: Apr 07, 2004
Posts: 45
Disclaimer: I'm fairly new to SSL to I do not guarantee my answers are 100% accurate ;-)

I think the extensions of the files for your Verisign certificate will be something like .crt, .key, and .pem

By default a standalone Tomcat installation (with the SSL connector in the server.xml) uses the JSSE Keystore, so you'll need to import your Verisign certificate into this keystore.

Here's a link to an article with various conversion tips
James Ellis
Ranch Hand

Joined: Oct 14, 2004
Posts: 205
Here are a couple possible solutions I found over the last few days:

Solution A - Use a pkcs12 file
1) Get the certificate (with a .pfx extension) from the network admin.
2) Follow steps to convert the keystore from a .pfx to a pkcs12 file (.p12 extenstion) listed in
You will use the .p12 file INSTEAD of the keystore.

Solution B - Create the certificate yourself
1) Create the keystore using the keytool command.
2) Follow the steps listed in to convert the keystore file to a .pfx file.
3) Get the .pfx file signed (not sure if this would cost extra money if you've already paid for a certificate)
4) Give the .pfx file to the network admin and have them replace the existing certificate

I could be wrong here...but from what I found there really is no way to import a certificate into the keystore that was not originally a created by the keytool. The reason for this is that the keystore is simply a file that contains a public and private key. When you do an import the only thing that is imported is the public key...NOT the private key. So, unless you are importing a signed version of the exact same public key that corresponds to the private key - the two won't match.

So basically if you are going to import into the keystore, it better be the same certificate that you generated using keytool and that you exported - just stamped with verisign's or thawte's approval.

Hope this helps.
I agree. Here's the link:
subject: import signed certificate into tomcat
It's not a secret anymore!