View blogs | Login

How to use an Apache SSL certificate in Java

Often administrators want to use an SSL certificate they already bought for an Apache HTTPD in a Java server, such as Tomcat. This blog walks you through with step-by-step instructions on how to accomplish this goal.

The biggest challenge when using an SSL certificate from an Apache HTTPD server into any Java Server is to handle the different certificate type. Apache HTTPD uses OpenSSL to create a PKCS12 certificate, where as Java uses JKS. Although Java can be configured to use a PKCS12 certificate, a cleaner approach is to import a PKCS12 certificate and convert it into a JKS type.


Before importing, I'd like to talk a little bit about public/private keys and certificates, which is very important to understand when dealing with this topic.

The first step in obtaining an SSL certificate is to create a public/private key pair. You use the openssl program to create this key pair when working with Apache HTTPD. On the other hand, you use the keytool program to do the same when working with Java. A copy of openssl can be obtained from here and download Java JDK to get the keytool program.

After creating the public/private key, you submit your public key in the form of a CSR to a certificate authority (CA) who signs your public key and sends you a certificate.


This article assumes you have already created a public/private key and have received a certificate from a CA. You are already using this certificate on your Apache HTTPD server and now want to use the same certificate in a server written in Java, such as Tomcat.

Step-by-step instructions

Step 1 Gather necessary files
You will need the following files from your Apache Server.
  • Your private key - this should have a .key extension and should be in the same location where your certificate is located on the machine, which is typically set to /etc/httpd/ folder. I use the word should because often administrators change the file extension as well as the location of the files. I such cases you will have to contact the person who initially created the certificate.
  • Your certificate file - this file usually ends with a .cert or a .crt extension. It contains your public key that is signed by a CA and has other properties like the expiration date and validity.
  • Intermediate certificates - these files are typically shipped by the CA and creates a trust relationship when your certficate with a certificate ROOT.
Step 2 Export the certificate
Using the following command export the existing certificate
openssl pkcs12 -export -in your.crt  -inkey yourPrivate.key -out yourExportedCert.p12 -name any-name -CAfile gd_bundle.crt -caname root
Note: Type the above command in one line.

This command will prompt you for a password. As an example, use secret for this value, which will be used in the next step. The result of the above command will be a new file called yourExportedCert.p12
Step 3 Importing into a Java Keystore
Now, let import this certificate into a Java Keystore using the following command.
keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore my.keystore -srckeystore yourExportedCert.p12 -srcstoretype PKCS12 -srcstorepass secret -alias any-name	
Note: Type the above command in one line.

Now, your public/private keys as well as the certificate in JKS format. You can use this certificate in any server written in Java.

Created on: 8/2/13 11:18 AM
Last updated on: 8/2/13 11:20 AM


Social Media

Powered by