Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Using OpenSSL to Create a Certificate Keystore for Tomcat

Overview

If you have a private key, an SSL certificate, and a certificate bundle from a Certificate Authority (CA), you can use OpenSSL to create a certificate keystore that Tomcat can utilize.

Requirements

The following components are required to create a keystore for Tomcat:

  • OpenSSL
  • Private key with a .key file extension from CA
  • SSL certificate file from CA
  • Certificate bundle from CA

Procedure

  1. Execute the following command to create a .p12 keystore bundle from the private key, SSL certificate, and certificate bundle:
    openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
  2. Enter a password of “changeit” when prompted. Note: If a different password is used, it will need to be specified in the server.xml file.
  3. Once the .p12 keystore bundle is created, move it to the root of the Tomcat directory.
  4. Modify the server.xml file so the connector port includes the following:
    keystoreType="PKCS12"
  5. Also, update the keystoreFile line of the server.xml file so that it points at the new keystore bundle.
  6. Restart Tomcat. See Starting and Stopping Tomcat for instructions.
  7. Browse to the JSS and verify that the correct certificate is now being used. (For example, in Safari, click the lock button in the upper-right corner of the browser window.)
Like Comment
SOLVED Posted: 9/26/13 at 6:13 PM by mazarothit

When you say "move it to the root of the tomcat directory" do you mean /usr/local/jss/tomcat or /usr/local/jss/tomcat/webapps/ROOT ?

Like
SOLVED Posted: 12/18/13 at 3:54 PM by winningham.2

@mazarothit if you are using JSS 9.x, you can do the following steps:
JSS> System Settings> Apache Tomcat Settings> Edit> Change the SSL certificate used for HTTPS> Upload an existing SSL certificate and just upload the p12 keystore you just created.

Afterwards you need to restart Tomcat to actually "set" the cert within the Tomcat Webserver.

Hope that helps.

Like
SOLVED Posted: 7/18/14 at 2:05 PM by bobkrez

This is my first time getting an SSL certificate. I have one now but the certificate has a .cer for the extension. The first line shows a file called mycert.crt. Can I rename my cert to that extension, ie, cert.crt from cert.cer, so I can create the p12?

Like
SOLVED Posted: 5/8/15 at 5:04 AM by ravijangra

@bobkrez - though you can rename the cert file, but you dont need to do that. in case you want to, then refer it properly.

Like
SOLVED Posted: 6/18/15 at 8:36 AM by snovak

There's a GUI for openssl called XCA which may come in handy for some people.

Like
SOLVED Posted: 10/1/15 at 8:21 PM by Gocobachi

I definitely would be interested in using XCA.

Like