It's quite easy to extract the certificates directly with keytool
, it's a bit trickier to extract the private key (although you could write programs to do so). I'd suggest using a combination of keytool
and openssl
.
If your keystore is in PKCS#12 format (.p12 file), skip this step. Convert your JKS store into a PKCS12 store using keytool
(need version from Java 6+)
keytool -importkeystore -srckeystore thekeystore.jks \
-srcstoretype JKS \
-destkeystore thekeystore.p12 \
-deststoretype PKCS12
Then, extract the certificate using openssl:
openssl pkcs12 -in thekeystore.p12 -clcerts -nokeys -out servercert.pem
Extract the private key:
umask 0077
openssl pkcs12 -in thekeystore.p12 -nocerts -nodes -out serverkey.pem
umask 0022
Note that, because the -nodes
option is used when extracting the private key, the private key file won't be protected (as it mustn't have a password to be usable by Apache Httpd), so make sure no one else can read it.
Then, configure Apache Httpd using SSLCertificateFile
and SSLCertificateKeyFile
to point to the certificate file and the private key file, respectively.
You need to add the certificate for App2 to the truststore file of the used JVM located at %JAVA_HOME%\lib\security\cacerts
.
First you can check if your certificate is already in the truststore by running the following command:
keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts"
(you don't need to provide a password)
If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:
keytool -import -noprompt -trustcacerts -alias <AliasName> -file <certificate> -keystore <KeystoreFile> -storepass <Password>
Example:
keytool -import -noprompt -trustcacerts -alias myFancyAlias -file /path/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass changeit
After import you can run the first command again to check if your certificate was added.
Sun/Oracle information can be found here.
Best Answer
You should try the
SSLProxyMachineCertificateFile
option and point it to a file containing your client certificate and its (unencrypted) private key in PEM format.