Thursday, November 20, 2008

Thanks Mike! (Apache Tomcat SSL Certificate Keystore Configuration)

Today at work Mike helped me out with my Tomcat SSL crap.

The Tomcat SSL Connector in the conf/server.xml file seems to want to use a java keystore file.

That keystore file is usually created with the $JAVA_HOME/jre/bin/keytool program. Unfortunately, I was given a key file by my sys admin, and keytool requires that the pem file containing the key is X.509 encoded.

The openssl program will happily take care of encoding the pem file containing the actual certificate file:
Unfortunately, it doesn't seem to work for the actual key file:
So, I asked Mike if he happened to know anything about SSL and Java keystores. He gave me this script (slightly modified from the original):

His script basically automates the process of getting a personal certificate, or rather, converting between a SSL chain certificate pem file and a Java keystore file.

It does this by first using openssl to create a PKCS12 encoded version of the pem file given piped thru stdin, and then using PKCS12Import to store the PKCS12 entry into the Java keystore. Very nice.

Further reading:
Extracting private key from Java
Some Java source code for the com.sun.xml.wss package at

In summary, Mike is cool. Thanks, Mike.

No comments: