top of page

Importing a Public Certificate and Private into a Java Keystore

This guide covers configuration of Apache Tomcat with SSL using a public certificate and private key when a .p12, .pfx, or.pem file are not available. Assuming these certificates are issued by a Certificate Authority, the aforementioned files may be able to be downloaded from the CA and more easily imported into the Java keystore. Unfortunately, Java cannot import private key (.key) files natively, though both the public certificate and private key are needed for Tomcat to authorize a secured request. This guide also assumes that you have a blank Java keystore already created with no other certificates in it.

As Java cannot import a private key (.key) file natively, it needs to be converted. OpenSSL will enable us to combine the public certificate (.crt) and private key (.key) into a .p12/.pfx file, which is easily loaded into a Java keystore.

  1. Download OpenSSL and install it to the server OS.

  2. Copy the public certificate and private key file into a temporary working directory, such as D:\Certs.

  3. Open a Command Prompt as Admin and navigate to the directory where OpenSSL is installed (for example, D:\Program Files (x86)\GnuWin32\bin), and run the following command – note that the full path to the .crt and .key files must be used if they exist outside of the OpenSSL bin directory:

    1. openssl pkcs12 -export -in public-certificate-name.crt -inkey private-key-name.key > hostname-of-server.p12

  4. A message will return, stating “Loading ‘screen’ into random state – done”, followed by a prompt for a password. This password can be anything, but should be remembered for later use. 

  5. Once completed, verify that a .p12 file has been generated in the directory specified. If no directory is specified as in the above example, the .p12 file can be found in D:\Program Files (x86)\GnuWin32\bin or wherever OpenSSL is installed. For organizational purposes, the .p12 file can be copied to the same location as the keystore (.jks) file.

  6. Open a Command Prompt as Admin and navigate to the keystore (.jks) location, and import the .p12 file using the below command, utilizing appropriate server names, directories, and passwords as needed:

    1. keytool -importkeystore -deststorepass password -destkeypass password -destkeystore D:\Certs\servername.jks -srckeystore D:\Certs\servername.p12 -srcstoretype PKCS12 -srcstorepass password -alias 1

    2. Important: Note the -alias 1 above – the alias of 1 is required to choose the certificate in the source PKCS12 (.p12 from openSSL) file.

  7. Verify the .p12 file was imported successfully by running “keytool -list -v keystore <keystore>” and verify that the certificate information is returned.

  8. Update the Apache Tomcat server.xml file, usually located at <drive:\>Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml – the below connector block of XML code can be used, replacing necessary ports, directory paths, and passwords as needed:

    1. <Connector port=”443″ protocol=”org.apache.coyote.http11.Http11NioProtocol” maxThreads=”150″ SSLEnabled=”true” scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keyAlias=”1″ keystoreFile=”D:\Certs\servername.jks” keystorePass=”password” />

  9. Restart the Apache Tomcat service on the web server, and verify that the Apache Tomcat landing page is accessible via https://<servername>.



bottom of page