6.3.1. Exporting Certificates From Tomcat

Java stores keys and certificates in a keystore file, whose format is Java-specific. Apache also needs access to the same items, but cannot read the Java keystore format. Therefore, the key and the certificates must be exported to separate files. It is simplest to store the exported files in the configuration directory along with the keystore.

You should have already created a keystore during the configuration of your service. Begin by opening service-keystore.ks in KeyToolGUI (available for download here).

Exporting certificates

To export the server's certificate:

1. Right click on the server's key (NOT the Certificate Authority's certificate!).
2. Choose Export from the menu.
3. Select Head Certificate and PEM Encoded when exporting.
4. Save with a .crt extension (eg, as server.crt in your configuration directory).

To export the Certificate Authority's own certificate:

1. Right click on the Certificate Authority's certificate.
2. Choose Export from the menu.
3. Select Head Certificate and PEM Encoded when exporting.
4. Save with a .crt extension (eg: CA.crt).

Exporting the private key

1. Right click on the server's key.
2. Choose Export from the menu.
3. Select Private Key and Certificates and PKCS #12 and click OK.
4. Enter the keystore password when prompted (use the same password for the exported key).
5. Save with a .p12 extension (eg: private-key.p12).
6. Convert from PKCS#12 format to PEM:

   $ openssl pkcs12 -in private-key.p12 -out private-key.pem -nodes

Once you have the three files (server.crt, CA.crt and private-key.pem) and the crl.pem file (which should be obtained from your Certificate Authority), you are ready to continue with the instructions specifi to your Apache version and operating system.

Next: Firewalls Previous: Apache