Convert OpenSSL certificates to Java keystore file

If you normally generate SSL keys and csr based on openssl tool, then when using it for java-based web servers (w.g. tomcat), you will need to convert the OpenSSL certificates to Java keystore file so that it can be used for java-based web servers. This quick tuts provide you step-by-step one:

  1. Assume that you have all server.key and server.crt (the bundle file, which contains the certificate itself combined with root CA and intermediate key).
  2. You’ll need to generate p12 file, remember to choose a password for this p12 file so that you will not be complained by java keytool later:
    openssl pkcs12 -export -in server.crt -inkey server.key > server.p12
  3. Then, use Java keytool to generate keystore-based file (also remember to set password for the new file):
    keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12
  4. Finally, upload the server.jks to your server and configure it to be used in tomcat. Example configuration:
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="MyJKSPassword" keystoreType="jks" keystoreFile="/path_to_ssl/server.jks"/>

All is done. Remember to add ciphers params as my above sample config so that you do not receive the error “Server has a weak, ephemeral Diffie-Hellman public key”.

Leave a Reply