1

I had requested for a certificate by generating the csr using openssl. I have the private key file. Now I want to install the certificate in a keystore which is to be used in tomcat. I have tried the following to do so :

  1. Created the p12 file using the command : openssl pkcs12 -export -in website_com.crt -inkey website_com.key -name tomcat -out website_com.p12
  2. Imported it into a keystore using the command : keytool -importkeystore -deststorepass mypass -destkeystore somename.jks -srckeystore website_com.p12 -srcstoretype PKCS12

The import was successful and tomcat alias was created in somename.jks. Tomcat connector for ssl port :

< Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8">
    <!--    <SSLHostConfig sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"  -->    
        <SSLHostConfig protocols="TLSv1.3"
            ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 
            TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
            TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
            TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
            TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
            TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384,
            TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
            TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSVF">
            <Certificate certificateKeystoreFile="D:\apache-tomcat-9.0.37\conf\somename.jks"
                         certificateKeystorePassword="mypass"
                         certificateKeyAlias="tomcat"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Screenshot of the terminal window enter image description here

Any idea what am I doing wrong?

P.S Generating a new CSR and requesting a new cert will not be possible

Aditya Acharya
  • 65
  • 7
  • 2
    Use `keytool -list -keystore D:\apache-tomcat-9.0.37\conf\somename.jks` to check if a `PrivateKeyEntry` named `tomcat` exists. BTW: the entire conversion from PEM to PKCS12 is not necessary since Tomcat 8.5 (see [this question](https://stackoverflow.com/q/49386683/11748454)). The conversion from PKCS12 to JKS is not necessary since around Tomcat 5.5. – Piotr P. Karwasz Apr 22 '21 at 09:31
  • I tried using pem files instead of the keystore, getting an error saying _Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys_. Any idea why is this happening? Both the cert and key file are in .pem format and yes ```somename.jks``` has a ```PrivateKeyEntry``` named ```tomcat``` – Aditya Acharya Apr 22 '21 at 13:22

1 Answers1

1

I solved this issue by using the p12 file generated in the first step instead of using the .jks file.

< Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8">
        <SSLHostConfig protocols="TLSv1.3"
            <Certificate certificateKeystoreFile="D:\apache-tomcat-9.0.37\conf\somename.p12"
                         CertificateKeystorePassword="mypass"
                         certificateKeystoreType="PKCS12"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Aditya Acharya
  • 65
  • 7