Usually, when you get your SSL certificates, they are .crt, .key, and .ca-bundle files. These work fine for Apache’s HTTP server, but Apache’s Tomcat server needs these converted into a .jks (Java Key Store), and the Tomcat configuration set up to use that key store. To simplify the conversion, here is a shell script to perform the steps, under the assumption that the .crt, .key, and .ca-bundle files all have the same prefix.<\/p>\n\n\n
#!\/bin\/sh\nif [ \"$1\" = \"\" ]; then\n echo \"\"\n echo \" usage: $0 <file-prefix> <password>\"\n echo \"\"\n echo \" This tool requires that all files have the same prefix, and the .crt, .key, and .ca-bundle files exist.\"\n echo \"\"\n echo \" For example, if your files are named example.com.crt, example.com.key, example.com.ca-bundle, you would do:\"\n echo \"\"\n echo \" $0 example.com mySekretPasswd\"\n echo \"\"\n exit 1\nfi\necho \"\"\necho \" Generating JKS file for $1...\"\necho \"\"\necho \"----------------------------------------------------------\"\nopenssl pkcs12 -export -in $1.crt -inkey $1.key -name $1 -out $1.p12 -passout pass:$2\nkeytool -importkeystore -deststorepass $2 -destkeystore $1.jks -srckeystore $1.p12 -srcstoretype PKCS12 -srcstorepass $2\nkeytool -import -alias bundle -trustcacerts -file $1.ca-bundle -keystore $1.jks -storepass $2\nprefix_alias=`keytool -list -v -keystore $1.jks -storepass $2 | grep -i alias | grep $1`\nif [ \"$prefix_alias\" = \"\" ]; then\n echo \"\"\n echo \" ** something seems to have gone wrong, $1 not found in aliases\"\n echo \"\"\n exit 1\nfi\necho \"----------------------------------------------------------\"\necho \"\"\necho \" JKS file created.\"\necho \"\"\necho \" Copy $1.jks to Tomcat's ssl directory, typically something like \/etc\/tomcat8\/ssl\/$1.jks\"\necho \"\"\necho \" Add or Update the <Connector> entries in Tomcat's server.xml to be something like:\"\necho \"\"\necho \" <Connector port=\\\"8443\\\" protocol=\\\"org.apache.coyote.http11.Http11NioProtocol\\\" maxThreads=\\\"150\\\" SSLEnabled=\\\"true\\\" scheme=\\\"https\\\" secure=\\\"true\\\" clientAuth=\\\"false\\\" sslProtocol=\\\"TLS\\\" keystoreFile=\\\"\/etc\/tomcat8\/ssl\/$1.jks\\\" keystoreType=\\\"JKS\\\" keystorePass=\\\"$2\\\" keyAlias=\\\"$1\\\" \/>\"\necho \" <Connector port=\\\"8009\\\" protocol=\\\"AJP\/1.3\\\" redirectPort=\\\"8443\\\" \/>\"\necho \"\" <\/pre>\n\n\nAn example of using the tool, if your certificate files all start with
example.com<\/strong><\/code>:<\/p>\n\n\n.\/convert-for-tomcat.sh example.com mySekretPasswd<\/strong> <\/pre>\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Usually, when you get your SSL certificates, they are .crt, .key, and .ca-bundle files. These work fine for Apache’s HTTP server, but Apache’s Tomcat server needs these converted into a .jks (Java Key Store), and the Tomcat configuration set up to use that key store. To simplify the conversion, here is a shell script to … <\/p>\n