0

I am using https://zerossl.com for the certificate, they provide me these files:

  • ca_bundle.crt
  • certficate.crt
  • private.key

Then I run these commands

To generate a p12 file

openssl pkcs12 -export -in certificate.crt -inkey private.key -out keystore.p12 -name tomcat -CAfile ca_bundle.crt -caname root -chain

To generate the JKS file

keytool -importkeystore -srckeystore certifcate.p12 -srcstoretype pkcs12 -destkeystore mykeystore.jks -deststoretype pkcs12

Then I edit my /opt/tomcat/conf/server.xml

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/path/to/your/keystore.jks" keystorePass="your_keystore_password" keyAlias="tomcat" keyPass="your_key_password" clientAuth="false" sslProtocol="TLS" />

I'm not sure why the SSL certificate is not working. I would appreciate if someone tells me if I am missing something.

Improve this question
1
  • -destkeystore mykeystore.jks -deststoretype pkcs12: Here you are contradicting yourself. Most probably it should be -destkeystore mykeystore.jks -deststoretype JKS. Otherwise you could use the first keystore created by openssl, as long as server.xml knows that it's a pkcs12 keystore, not JKS. Commented Nov 20, 2023 at 0:00

1 Answer 1

Reset to default
2

So you are doing too much. You don't need to convert the key into JKS keystore. JKS was Java's original keystore format that was a propriety format. Since that time PKCS12 has emerged and Java finally supports that so I'd recommend just using your p12 files, and configuring tomcat to read PKCS12 instead of trying to use JKS.

But, for a quick answer you're conversion routine from PKCS12 -> JKS isn't saving a JKS file. -deststoretype pkcs12 should be -deststoretype JKS However, we're going to do it for PKCS12 because that is the "future". Technically Tomcat has had PKCS12 support since 5.0, but future is the saying.

Anyway here is how you can use the P12 cert in your setup in Tomcat.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/your/path/certificate.p12" keystorePass="xxxxsomething_secretxxxxx" keystoreType="PKCS12" />
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Tehcnically Tomcat has had PKCS#12 support since Java did.
Thank you guys for your response. I have tried using the .p12 file but it looks like it is not working
(@user207421) PKCS12 was first published in 1999 and Java has supported it since at latest 1.4.1 in 2002, but Sun designed JKS and used it as the default because PKCS12 (normally) uses fairly strong encryption that in the 1990s couldn't be exported from the US or imported some other places, and Sun wanted Java used 'everywhere'. (JKS used and still does deliberately weak encryption, although when the password is available in clear like with Tomcat this is moot; Oracle versions of Java since 2017 discourage JKS as 'proprietary' without mentioning 'weak'.)
@Hector: unless you're using OpenSSL >=3.0 with certain slightly older versions of Java, in which case you get a clearly spurious exception about "password was incorrect" that can be searched on Stack in like 10 seconds, every Tomcat I have seen in decades works with a PKCS12 keystore if the keystore is valid to start with. If yours doesn't you must have done something wrong, but you'll have to fix it yourself because you give us no information at all to go on.
on the logs, i don’t get any error, not sure why it is not loading the certificate. I have check permission and everything seems to be okay. I have tested using PKCS12 with .pfx file and still not working.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.