Creating a tomcat keystore and CA signing

cmd showing keytool

Many a time we want to setup SSL but setting up a keystore can be tricky, below are the steps in summary, please note, the path to your java directory might be different, while i performed this on Linux, you can do the same on Windows by using powershell or cmd shell in the %program files%jre(version)bin directory.






Please find below where;
• is the host alias and CN can be your domain name e.g.
• is the Certificate signing reply
• ca-cert.crt is the Certificate authority certificate;
• ca-cert is the Certificate Authority Certificate from for example verisgn, digicert, comodo and other certificate authorities depending on what the server you are connecting to is using

===> When you have a Certificate Authority certificate

#Import CA Certificate, if you are using self signed certificates, i.e. certificates you are not paying for, read the self signed section
/usr/java/default/bin/keytool -import -file /<path to CA file>/ca-cert.crt -keystore /opt/tomcat/keystore.jks

#Generate Node Keys (Private and public Keys)
/usr/java/default/bin/keytool -genkey -dname “” -alias -keyalg RSA -keystore /opt/tomcat/keystore.jks -keysize 2048

#Create certificate signing request for the node public key
/usr/java/default/bin/keytool -certreq -alias -keystore /opt/tomcat/keystore.jks -file

#Have CA sign public key by sending them the above .csr file

#Import certificate reply
/usr/java/default/bin/keytool -importcert -alias -file -keystore /opt/tomcat/keystore.jks

#Verify Certificate is signed
/usr/java/default/bin/keytool -list -keystore /opt/tomcat/keystore.jks

#As an addition change keystore owners to the application owner and the access permissions to 0600 (chown 0600 /opt/tomcat/keystore.jks)

=====> Self signed section
Simply generate the keys and that should do it
#Generate Node Keys (Private and public Keys), note keysize can vary
/usr/java/default/bin/keytool -genkey -dname “” -alias -keyalg RSA -keystore /opt/tomcat/keystore.jks -keysize 2048
If you have a tomcat server, you can configure it to start using SSL by updating the /opt/tomcat/conf/server.xml for linux and the similar server.xml file in windows in the tomcat conf directory

#Un-comment out the 8443 SSLEnabled=”true” section and add the keystore file path
<Connector port=”8443″ protocol=”HTTP/1.1″ SSLEnabled=”true”
maxThreads=”150″ scheme=”https” secure=”true”
clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/opt/tomcat/conf/keystore.jks” keystorePass=”lasjdfajd” />

===> Exporting my private

Below we export our private key, if all you wanted was to create a cert and have it signed the below steps are not required.
The reasons for exporting a private key are many and vary from individual to individual some are;

  • You would like to install your same certificates on multiple servers
  • You would like to hard code your keys in an application
  • You would like to carry out IP traffic dumps and decrypt them.

Our public key is already with us since we had to got it from our CA after having it signed, below is also show you to export
the same sert in PKCS12 format (you can choose to ignore the public key export)

// Convert your JKCS keystore into a PKCS12 format keystore
/usr/java/default/bin/keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias
you will be prompted for the destination keystore password that you enter twice followed by the password for you existing keystore, keystore.jks

//Export public cert from PKCS12 keystore
openssl pkcs12 -in keystore.p12 -nokeys -out

//Export Private Key from PKCS12 keystore
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem

Where key.pem is my private key and kujahapa.pem is my public key, doing a head on the certs you can see this;

Private Key 

#head -6 key.pem
Bag Attributes
localKeyID: 12 69 46 65 20 31 34 32 37 35 34 23 37 34 37 34 36 89
Key Attributes: <No Attributes>


Public Key
#head -6
Bag Attributes
localKeyID: 54 69 6D 65 20 31 34 32 37 35 34 35 37 34 37 34 36 35
issuer=/CN=Inifi CA


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s