Ssl – How to create tomcat keystore from existing Godaddy .key and .crt file

godaddykeytoolssltomcat

I have existing SSL file for a domain which being used in Nginx and Apache.

How I can create tomcat keystore from existing GoDaddy .key and .crt file.

I tried below

keytool -import -alias tomcat -keystore k.key -file k.crt

I got below error

keytool error: java.io.IOException: Invalid keystore format

I got below how to create SSL from scratch, but I need reverse it, https://in.godaddy.com/help/tomcat-generate-csrs-and-install-certificates-5239

Edit below is tomcat ssl config

<Connector port="${tomcat.ssl.port}"
maxHttpHeaderSize="8192"
maxPostSize="4194304"
maxThreads="150"
protocol="org.apache.coyote.http11.Http11Protocol"
executor="hybrisExecutor"
enableLookups="false"
acceptCount="${tomcat.acceptcount}"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol = "TLS"
keystoreFile="/data/ssl/cert/keystore.jks"
keystorePass="123456"
keystoreType="JKS"
keyPass="123456"
/>

Best Answer

There are two steps. First export it to pkcs12:

openssl pkcs12 -export -in mycert.crt -inkey myprivate.key -certfile mycert.crt -name "mytomcat" -out mykeystore.p12

Next, use the keytool command to create the jks file:

keytool -importkeystore -srckeystore mykeystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

Related Solutions

Ssl – .crt and .key files and how to generate them

crt and key files represent both parts of a certificate, key being the private key to the certificate and crt being the signed certificate.

It's only one of the ways to generate certs, another way would be having both inside a pem file or another in a p12 container.

You have several ways to generate those files, if you want to self-sign the certificate you can just issue this commands

openssl genrsa 2048 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert

Note that with self-signed certificates your browser will warn you that the certificate is not "trusted" because it hasn't been signed by a certification authority that is in the trust list of your browser.

From there onwards you can either generate your own chain of trust by making your CA or buy a certificate from a company like Verisign or Thawte.

Ssl – Tomcat fails to find a key entry in keystore

For anyone else who stumbles upon this: The key (pun not intended) is to import your certificate using the same alias as the one you used to originally create they keystore (along with its private key) when you ran 'keytool -genkey-alias myalias ...' -- this is how Tomcat ties the private key with your new certificate when it is imported.

Basically, like other commenters said, in the end your own cert should NOT show as a "trustedCertEntry" in a 'keytool -list' -- it needs to be a "PrivateKeyEntry", see below example:

keytool -list -keystore sample.keystore

Your keystore contains 1 entry
example, Aug 28, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 12:E0:20:64:92:8A(...)

You can find out the original alias by running 'keytool -list', and looking for the PrivateKeyEntry entry. If all goes well when you import your new CA-provided cert (i.e., you use the same alias and your keys match), the new cert will be automagically absorbed into the PrivateKeyEntry. This is the alias you'll need to refer to in Tomcat's server.xml file.

Best Answer

Related Solutions

Ssl – .crt and .key files and how to generate them

Ssl – Tomcat fails to find a key entry in keystore

Related Topic