Exporting Tomcat SSL keys to Apache httpd

Apache Tomcat SSL keys created with keytool are, by default, in der format. These keys cannot be used in Apache httpd since httpd, be default, expects the keys in pem(X509) format. Using the below steps you can export the tomcat’s keys to Apache httpd format and use it for Apache.

I assume that you already have a working copy of tomcat with SSL.

If Not follow Verisign’s instructions on requesting an SSL certificate, then:

• Create a keystore:   $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
• Import the Intermediate CA Certificate:   keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
• Import your SSL Certificate:  keytool -import -alias <your_alias> -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

You will need a copy of the tomcat’s keystore file and the keystore password.

Let us start….

First copy the existing tomcat’s keystore file to a new directory so that we don’t break anything that is working.

List the key and verify you know the passphrase.
# keytool -list -keystore your.key

Now we will export the key in DER format
# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
Enter keystore password:
Output will be: Certificate stored in file

The certificate will be stored in the file called exported-der.crt

Verify the certificate with this command:
# openssl x509 -noout -text -in exported-der.crt -inform der
Output will be: The whole certificate saying – who issued it  and other info like your company name etc.

Now Convert the key to PEM format so that apache can understand it:
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

The exported key will be in the file exported-pem.crt.

We have exported the public key and now are going to export the private key.

Download a  file called (ExportPrivateKey.zip) from Anandsekar.com

Extract the key
# java -jar ExportPrivateKey.zip {keystore_path} JKS {keystore_password} {alias} exported-pkcs8.key

The key is in PKCS #8 PEM format. Now run openssl to convert it to the format apache modssl expects the file.
Use a cygwin shell to get a good version of OpenSSL without having to install another application.
# openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

The Private key is now exported to the file exported.key.

Edit the httpd.conf/httpd-ssl.conf file
SSLCertificateFile /root/SSL_export/exported-pem.crt  -> I used the cert from Verisign instead.
SSLCertificateKeyFile /root/SSL_export/exported.key
SSLCertificateChainFile /root/SSL_export/<intermediate>

Example:
#Verisign Certificate
SSLCertificateFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/cmmssl/cert/cert.crt”
# Our new key
SSLCertificateKeyFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/cmmssl/private/exported.key”
# The Verisign Intermediary cert file.
SSLCertificateChainFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/cmmssl/intermediate/intermediate.crt”

Restart Apache, with fingers crossed, pixie dust in the air, while the rooster crows, on a full moon, and a live sacrificial chicken waiting on standby.