0

I have all the required files to import to my apache tomcat, that is:

  • the Certificate Request file (CSR file)
  • the RSA PRIVATE KEY file
  • the certificates (root, intermediates and Entity/Domain) that was sent to me by the Certificate Authority.

Now i need to import them to my apache tomcat server.

My question is, given that i havent created any key store to my server (the CSR and private key were sent to me, i didnt created them with e.g. keytool), what should be the next steps? Should i have to create a new keystore through keytool -genkey command (which alias?) ? And if so, which of the files above should i import? As far as i can see the keytool command doesnt support to import an existing CSR.

user711189
  • 4,383
  • 4
  • 30
  • 48
  • Does this answer your question? [Enabling SSL on tomcat using pem file](https://stackoverflow.com/questions/49386683/enabling-ssl-on-tomcat-using-pem-file) – Piotr P. Karwasz Aug 15 '21 at 19:42
  • i dont have pem files. The certificates are .crt files – user711189 Aug 15 '21 at 20:11
  • 2
    There are a lot of file extensions used with certificates. A PEM file is a text file with content `-----BEGIN -----` and a Base64 encoded cryptographic object. Your `*.crt` files are probably PEM files. – Piotr P. Karwasz Aug 15 '21 at 20:53
  • Correct! The files contains the content type you said! So these are pem files. However, my tomcat is a little bit older (7.0) and i would prefer to use the default JSSE implementation. That means that i have to convert the pem files to a different format and then import them to a new keystore that will be defined inside the server.xml ? – user711189 Aug 16 '21 at 06:50

1 Answers1

2

The extension .crt is often but not always used for certificates in PEM format. First, set aside the CSR; you won't use it. Look at the contents of the privatekey file and each certificate file; do they each have (usually begin with) a line in the format -----BEGIN {one or more words}----- then several lines of base64 and then a similar END line? If so those are PEM files and the content you need is one privatekey and several certs, exactly as you listed. See also (cross) https://crypto.stackexchange.com/questions/43697/what-is-the-difference-between-pem-csr-key-and-crt and https://security.stackexchange.com/questions/183072/pem-cer-crt-p12-what-is-it-all-about .

As noted in the Q Piotr linked, modern Tomcat (8.5 and up) can directly use PEM files for privatekey and cert(s). Older Tomcats with the 'native' SSL option (aka APR, Apache Portable Runtime, which wraps OpenSSL) also do this.

To use PEM data in older Tomcat using Java SSL (JSSE), or other Java applications, see
Convert a CERT/PEM certificate to a PFX certificate
Importing the private-key/public-certificate pair in the Java KeyStore
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?
Converting pem with multiple certificates to java keystore
Converting PEM Certificate for use in JAVA Spring Framework
Converting PEM to PKCS12 and import to Java Keystore
Note PFX is the same thing as PKCS12, and while in olden days it was often necessary to convert to PKCS12 using openssl pkcs12 -export and then to JKS using keytool -importkeystore, Java versions since 2017 should accept PKCS12 as a keystore and in fact j9 up make it the default for newly created keystores.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Correct, these are PEM files. My Tomcat is 7.0 version and i would like to proceed with the default JSSE implementation. What are the steps that should be followed in order to install the PEM certificates and private key to my tomcat? Should i convert the PEM to PKCS12 and import them to a new keystore that will be refered by the server.xml? Thank you, Dave – user711189 Aug 16 '21 at 06:54
  • 1
    You should convert them to PKCS12 per the links. Java supports PKCS12 as a keystore although below 8u60 or 9 you need to explicitly set keyStoreType in the config; those up should work without but personally I would still set it for clarity. – dave_thompson_085 Aug 17 '21 at 03:34