Ssl – use openssl to generate key/cert for tomcat

keytoolssltomcat

According to http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Create_a_local_Certificate_Signing_Request_(CSR) I can use keytool to generate the key and cert for tomcat but can I use openssl?

If yes, is there any openssl guideline for tomcat?

Respond to: Mr Valerio Minetti

Yes, the goal is we want to setup the SSL on a tomcat server.
One of my colleagues created the CSR and sent to Thawte, and Thawte return us cert file.
Because my colleague is busy, he hand over this job to me, to setup the tomcat.
After investigating (not the openssl), the fact is my colleague created the CSR by Symantec SSL assistance.

Symantec generated 2 files:

www_xxxxxxxxxx_com_rsa_csr.txt
www_xxxxxxxxxx_com_rsa_private.key

My colleague use www_xxxxxxxxxx_com_rsa_csr.txt to apply cert from Thawte.

So now I need to do the following steps?

using the keytool to create keystore
then import the private key www_xxxxxxxxxx_com_rsa_private.key
import the chain cert from Thawte
import our site cert

Am I correct?

Best Answer

You can generate certs and keys with openssl, but in order to have tomcat using them you will have to use keytool to import it in a tomcat keystore.

you can find some examples here: link

Related Solutions

Tomcat – Exporting Private Key

Believe it or not, this functionality is not supported in keytool. The best solution I have found so far is the software and instructions available for download on this Web site.

I usually generate the key using openssl and then use this method to import the key, as that is not supported by keytool either.

To generate a 2048 bit key:

openssl genrsa -out host.domain.com.key 2048

To create a keystore from this key:

KEY=host.domain.com
openssl pkcs8 -topk8 -nocrypt -in $KEY.key -inform PEM -out key.der -outform DER
openssl x509 -in $KEY.crt -inform PEM -out cert.der -outform DER
wget http://www.agentbob.info/agentbob/81/version/default/part/AttachmentData/data/ImportKey.class
java ImportKey key.der cert.der

Tomcat – Import private key and certificate into Tomcat

All you need to do is this for a Tomcat server:

Start with the original keystore that you used to create your CSR. This keystore has on private key in it with the alias called "tomcat"
From your certificate reply you will have a reply-cert , a intermediate (probably) , and also a root cert that are 3 separate files.
use keytool -import root cert with alias "root"
use keytool -import intermediate cert with alias "intermediate"
finally use keytool -import cert-reply.crt into keystore with alias "tomcat". this action imports the cert reply into position on top of the cert you generated when you created the keystore. this action will generate a certificate chain of length 2 or 3
use keytool -list to see the contents and the chain

NOTE: for an Apache server, the steps are a bit different.

Related Topic