3

I have been given a p12 public/private key signed by a certain CA. I have a local tomcat server that I am doing development work on. I am new to security but I believe that need to get the CA public cert into my tomcats truststore. (I am trying to get x509 certs working with CAS)

How do I get my tomcat (and JVM) to trust this CA? Is there a way to get the CA public cert out of a p12 and into my tomcat truststore? (I have also exported the cert from firefox to get a PEM file for the CA)

I see a lot of posts for jsk to pem, but not the other way round. I just need the CA. (I think) :)

mmaceachran
  • 3,178
  • 7
  • 53
  • 102
  • Not quite the same question, Im trying to pull a CA cert out of a PEM (or p12) file. NOT merge keystores or convert formats. Bruno has the correct answer. – mmaceachran Aug 18 '14 at 02:33

2 Answers2

3

Firstly, there's no guarantee that the p12 file you have contains the CA certificate with which the End Entity Certificate it contains was issued. Although it is useful for a keystore to contain intermediate certificate (as discussed here), containing the CA at the end of the chain is not necessary: if the remote party doesn't trust it, adding it to the chain won't make a difference (as discussed here).

You can check this using openssl pkcs12 -nokeys -out output.pem -in yourstore.p12. Look at the content of output.pem with a text editor, you should see whether the CA certificate is included. If not, contact the CA that issued your certificate, they should be able to provide it to you.

Then, to build a new keystore to use as a truststore, use keytool -import, for example keytool -import -keystore mytruststore.jks -file the_ca_file.pem. (That CA file should only contain the certificate of the CA, not the others. If you're copying this from the previous output, only use the relevant --BEGIN--...--END-- block.)

You're not saying whether you want this truststore to be used for authenticating clients connecting to your Tomcat server, or to be used for connections made by webapps running within Tomcat (in which case they're clients). Where and how to set up this truststore will depend on it. (In the second case, it's often useful to start from a copy of the default cacerts file, instead of creating a new store from scratch.)

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
0

It is very Simple to import a certificate (of any type p12, x509) to tomcat trust store. Follow the below steps and you should be able to import the certificate into the trust store of your tomcat.

  1. Find the JRE (not JDK) that your tomcat is using. See the tomcat startup for JRE_HOME.

  2. Use the Keytool in the JREBin directory to import the certificate you EXPORTED with the browser into trust store using the below commands.

    jre\bin\keytool -importkeystore -srckeystore .\Certs\sample.p12 \
    -destkeystore .\Certs\server.keystore -srcstoretype pkcs12 \
    -deststoretype jks -srcstorepass changeit -deststorepass changeit

  3. and type YES when prompted whether to trust the certificate.

Reference:

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

http://support.citrix.com/proddocs/topic/command-center-40/cc-install-import-cert-truststore-tsk.html

jww
  • 97,681
  • 90
  • 411
  • 885
chandra
  • 129
  • 1
  • 1
  • 8
  • OK, My confusion comes in not understanding MY public key and the CA public key. Won't the keytool -importkeystore import MY publlic key as well? I don't wan't that (I don't think) I just want tomcat to accept any key signed by the CA . – mmaceachran Aug 17 '14 at 22:14
  • `-importkeystore` will also copy the private key, which is not what's asked in the question (and private keys should not be distributed in trust stores in general). – Bruno Aug 17 '14 at 22:37