If you normally generate SSL keys and csr based on openssl tool, then when using it for java-based web servers (w.g. tomcat), you will need to convert the OpenSSL certificates to Java keystore file so that it can be used for java-based web servers. This quick tuts provide you step-by-step one:
- Assume that you have all server.key and server.crt (the bundle file, which contains the certificate itself combined with root CA and intermediate key).
- You’ll need to generate p12 file, remember to choose a password for this p12 file so that you will not be complained by java keytool later:
[bash]openssl pkcs12 -export -in server.crt -inkey server.key > server.p12[/bash]
- Then, use Java keytool to generate keystore-based file (also remember to set password for the new file):
[bash]keytool -importkeystore -srckeystore server.p12 -destkeystore server.jks -srcstoretype pkcs12[/bash]
- Finally, upload the server.jks to your server and configure it to be used in tomcat. Example configuration:
[bash]<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="MyJKSPassword" keystoreType="jks" keystoreFile="/path_to_ssl/server.jks"/>
[/bash]
All is done. Remember to add ciphers params as my above sample config so that you do not receive the error “Server has a weak, ephemeral Diffie-Hellman public key”.
