View blogs | Login

How to use an Apache SSL certificate in Java

When using a Java server such as TomCat, most administrators will want to use a SSL certificate they have already purchased for Apache HTTPD.

 Our goal is to walk you through the instructions of converting an SSL certificate to a Java certificate. 

The biggest challenge when using an SSL certificate for an Apache HTTPD server in any Java Server is understanding the different certification types. 

Apache HTTPD uses OpenSSL to create a PKCS12 certificate. Whereas Java uses JKS. Although Java can be configured to use a PKCS12 certificate, a cleaner approach is to import a PKCS12 certificate and convert it to a JKS type.

Public and Private Keys

Before importing the PKCS12 certificate, I'd like to talk a little bit about public and private key certificates.

The first step in obtaining an SSL certificate is to create a public and private key pair. Use the openssl program to create this key pair when working with Apache HTTPD. When working with Java JDK, use the keytool program, which comes with JDK and is located in the $JAVA_INSTALL_DIR/bin folder.

After creating the public and private key, submit your public key in the form of a CSR to a Certificate Authority (CA) who will sign your public key. Once they have signed your public key, the will send you a certificate.


This article assumes you have already created a public/private key and have received a certificate from a CA. You are already using this certificate on your Apache HTTPD server and now want to use the same certificate in a server written in Java, such as Tomcat.

Step-by-step instructions

Step 1 Gather Necessary Files
You will need the following files from your Apache Server.
  • Your Private Key - This should have a .key extension and should be in the same location where your certificate is located on the machine, which is typically set to /etc/httpd/ folder. I use the word should because often administrators change the file extension as well as the location of the files. I such cases you will have to contact the person who initially created the certificate.
  • Your Certificate File - this file usually ends with a .cert or a .crt extension. It contains your public key that is signed by a CA and has other properties like the expiration date and validity.
  • Intermediate Certificates - these files are typically shipped by the CA and creates trust between your certificate and the ROOT certificate.
Step 2 Export the Certificate
Using the following command export the existing certificate
openssl pkcs12 -export -in your.crt  -inkey yourPrivate.key -out yourExportedCert.p12 -name any-name -CAfile gd_bundle.crt -caname root
Note: Type the above command in one line.

This command will prompt you for a password. For the sake of this tutorial, we will use secret for this value. The above command will create a new file called yourExportedCert.p12


When using openssl version 3.x, you will have to add a -legacy option in the above command.
Step 3 Importing into a Java Keystore
Now, lets import this certificate into a Java Keystore using the following command.
keytool -importkeystore -deststorepass secret -destkeypass secret -destkeystore my.keystore -srckeystore yourExportedCert.p12 -srcstoretype PKCS12 -srcstorepass secret -alias any-name	
Note: Type the above command in one line.

Now, your public and private keys and the SSL certificate are in JKS format. The keys and certificate can now be used in any server written in Java.

Created on: Aug 2, 2013
Last updated on: May 27, 2024


Your email address will not be published.

Philip Schilling 1025 days ago

Very poor writeup.  You need full instructions, you are missing explaining variables above, you do not tell us how to actually use this certificate with Xeams.


Social Media

Powered by