In this short tutorial we will present how to import a pem certificate into a pfx and then into a keystore.
- Step 1 is to import the pem certificate into a pfx. For this we need 3 files that will contain the key, the certificate and the intermediate
openssl pkcs12 -export -out certificate.pfx -inkey 1.key -in 1.crt -certfile 1.ca - Generate an empty keystore
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks - In this step we import the pfx certificate into the keystore
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype PKCS12 -destkeystore keystore.jks - In this step we delete the tomcat alias that we initially configured:
keytool -delete -alias tomcat -keystore keystore.jks - and replace it with the one that we imported:
keytool -changealias -alias 1 -destalias tomcat -keystore keystore.jks
Some things to keep in mind:
- For the import to work the keystore needs to have the same password as the certificate.pfx or it will give an error.
- SNI is supported with the latest tomcat versions. An example of such configuration can be found below:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain1.com">
<SSLHostConfig hostName="domain1.com" >
<Certificate certificateKeystoreFile="conf/keystore.jks" certificateKeystorePassword="changeit"
certificateKeyPassword="changeit"
type="RSA" />
</SSLHostConfig>
<SSLHostConfig hostName="domain2.com" >
<Certificate certificateKeystoreFile="conf/keystore2.jks" certificateKeystorePassword="changeit"
certificateKeyPassword="changeit"
type="RSA" />
</SSLHostConfig>
</Connector>
