Using OpenSSL to Create a Certificate Keystore for Tomcat
If you have a private key, an SSL certificate, and a certificate bundle from a Certificate Authority (CA), you can use OpenSSL to create a certificate keystore that Tomcat can utilize.
The following components are required to create a keystore for Tomcat:
- Private key with a .key file extension from CA
- SSL certificate file from CA
- Certificate bundle from CA
- Execute the following command to create a .p12 keystore bundle from the private key, SSL certificate, and certificate bundle:
openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
- Enter a password of “changeit” when prompted.
Note: If a different password is used, it will need to be specified in the server.xml file.
- Once the .p12 keystore bundle is created, move it to the root of the Tomcat directory.
- Modify the server.xml file so the connector port includes the following:
- Also, update the keystoreFile line of the server.xml file so that it points at the new keystore bundle.
- Restart Tomcat.
See Starting and Stopping Tomcat for instructions.
- Browse to the JSS and verify that the correct certificate is now being used. (For example, in Safari, click the lock button in the upper-right corner of the browser window.)