I'm going to show you all how I had to fiddle with the Java KEYTOOL application and the keystore it creates to get a certificate I already had working in Apache Tomcat.

I needed to do this to get two web apps, on one server, with one FQDN, working with the same certificate.

One of these apps was a straight Apache application and one was written using the Tomcat framework.

You are going to need...

  1. Your server certificate from GoDaddy, Verisign, etc.
  2. Your certificate private key file (created when you generated your cert).
  3. OpenSSL binaries for Windows (if you are using Windows).
  4. Java Keytool binaries for Windows (if you are using Windows).

Here is what I did and I hope this works for you.

  1. Get your CRT file working in Apache.  This is easy and you should be able to Google/Bing/Yahoo the heck out of how to do this.  But, verify it is working and you get no errors when you browse to your location.
  2. Download and unzip the OpenSSL binaries.
  3. Copy your CRT file and your KEY file to the OpenSSL file location.
  4. Convert your CRT and KEY to a P12 file.  Use this command:
    openssl pkcs12 -export -in [your crt file name here] -inkey [your key file name here] -out [your end result file here].p12
  5. Once complete you will have a P12 file of your own naming in your directory.
  6. Download or locate your KEYTOOL binary on your system.
  7. Setup a directory for your new KEYSTORE, I called my NEWSTORE
  8. Copy your P12 file to the NEWSTORE folder.
  9. We are going to create a "crap" keystore using the command:
    keytool -genkey -alias crappyserver -keyalg RSA -keystore [your keystore filename] -keysize 2048
  10. Once complete we will have a file that is our new keystore with one, sorta, bogus entry in it.  Remember the alias we used... crappyserver.  We'll need that later.
  11. I used a certificate from GoDaddy.  So, I need to import the GoDaddy trusted CA cert into my KEYSTORE.  Use this command for that:
    keytool -import -alias root -keystore [your keystore filename] -trustcacerts -file [path and filename of the trusted CA cert]
  12. Once complete our KEYSTORE has our bogus record and our CA record it it.  We can check that by listing the contents of the KEYSTORE file.  Use the command:
    keytool -list -v -keystore [your keystore filename]
  13. Now we need to import out P12 file.  Use the command:
    keytool -importkeystore -srckeystore [your P12 file filename] -srcstoretype PKCS12 -destkeystore [your keystore filename] -deststoretype JKS
  14. Once complete, we have our bogus record, our CA cert and our server certs P12 file all in our KEYSTORE.
  15. Now, let's clean up our KEYSTORE and remove the bogus record.  Use the command:
    keytool -delete -alias crappyserver -keystore [your keystore filename]

Just to note:

You WILL need to know your key passwords to do this.

You WILL need to set and type, alot, your KEYSTORE password.

When done, you can copy your KEYSTORE file to the location you need and adjust the filename and password in the SERVER.XML in your Tomcat application.


Hope this helps someone.