0 Replies Latest reply on Jul 19, 2007 3:07 AM by waCraig

    Importing an existing Cert into Apache Tomcat

      With some parsing and conversion, pfx files can be made into pkcs12

      keystores.

       

      Follow the following steps:

       

      Assuming that you have a pfx (Personal Info Exchange) file

      that contains your CA-signed or self-signed certificate and your

      private key,

       

      [One way of getting the pfx file could be by exporting the

      certificate from the Microsoft Windows Certificate Mangaement console)

       

      1. (If you already have a pkcs12 pem file, skip #1)

      openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem

       

      2. openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "My Certificate"

       

      3. (To verify that the keystore exists) keytool -v -list -keystore mykeystore.p12 -storetype pkcs12

       

      Now, you have to tell Tomcat that it's really a pkcs12 file.

      Edit the SSL connector (such as on port 443) block of your server.xml:

       

      <Connector port="443" maxHttpHeaderSize="8192"

      maxThreads="150" minSpareThreads="25"

      address="(ip of server)"

      maxSpareThreads="75" enableLookups="false"

      disableUploadTimeout="true" acceptCount="100"

      scheme="https" keystoreType= "PKCS12" secure="true" clientAuth="false"

      sslProtocol="TLS" keystorePass="(password you chose)"

      keystoreFile="/path/to/keystore" />

       

      -- Craig