I assume that you already have [...]]]> Apache Tomcat SSL keys created with keytool are, by default, in der format. These keys cannot be used in Apache httpd since httpd, be default, expects the keys in pem(X509) format. Using the below steps you can export the tomcat’s keys to Apache httpd format and use it for Apache.

I assume that you already have a working copy of tomcat with SSL.

If Not follow Verisign’s instructions on requesting an SSL certificate, then:

• Create a keystore:   $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
• Import the Intermediate CA Certificate:   keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
• Import your SSL Certificate:  keytool -import -alias <your_alias> -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

You will need a copy of the tomcat’s keystore file and the keystore password.

Let us start….

First copy the existing tomcat’s keystore file to a new directory so that we don’t break anything that is working.

List the key and verify you know the passphrase.
# keytool -list -keystore your.key

Now we will export the key in DER format
# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
Enter keystore password:
Output will be: Certificate stored in file

The certificate will be stored in the file called exported-der.crt

Verify the certificate with this command:
# openssl x509 -noout -text -in exported-der.crt -inform der
Output will be: The whole certificate saying – who issued it  and other info like your company name etc.

Now Convert the key to PEM format so that apache can understand it:
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

The exported key will be in the file exported-pem.crt.

We have exported the public key and now are going to export the private key.

Download a  file called (ExportPrivateKey.zip) from Anandsekar.com

Extract the key
# java -jar ExportPrivateKey.zip {keystore_path} JKS {keystore_password} {alias} exported-pkcs8.key

The key is in PKCS #8 PEM format. Now run openssl to convert it to the format apache modssl expects the file.
Use a cygwin shell to get a good version of OpenSSL without having to install another application.
# openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

The Private key is now exported to the file exported.key.

Edit the httpd.conf/httpd-ssl.conf file
SSLCertificateFile /root/SSL_export/exported-pem.crt  -> I used the cert from Verisign instead.
SSLCertificateKeyFile /root/SSL_export/exported.key
SSLCertificateChainFile /root/SSL_export/<intermediate>

Example:
#Verisign Certificate
SSLCertificateFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/cmmssl/cert/cert.crt”
# Our new key
SSLCertificateKeyFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/cmmssl/private/exported.key”
# The Verisign Intermediary cert file.
SSLCertificateChainFile “C:/Program Files/Apache Software Foundation/Apache2.2/conf/cmmssl/intermediate/intermediate.crt”

Restart Apache, with fingers crossed, pixie dust in the air, while the rooster crows, on a full moon, and a live sacrificial chicken waiting on standby.

1. Change Tomcat’s server.xml. (<application>/tomcat/conf/server.xml) Edit the non-SSL <Connector> entry listening on port 80 and add or edit the redirectPort atribute to point to the port on which the SSL <Connector> is listening. By default, the redirectPort was pointing to port [...]]]> Need to have http redirect to https within Tomcat.
Here is a good page on setting up SSL for Tomcat tomcat-6.0-doc/ssl-howto.html

1. Change Tomcat’s server.xml.
(<application>/tomcat/conf/server.xml)
Edit the non-SSL <Connector> entry listening on port 80 and add or
edit the redirectPort atribute to point to the port on which the SSL
<Connector> is listening. By default, the redirectPort was pointing
to port 443.  Note: if you have an internal system running SSL on port 21101, for example, and your site uses a global load balancer, then you need to redirect to port 443.  Otherwise, the URL would be rewritten as https://your.site.com:21101 which would fail at the loadbalancer.

Was:
Connector port=”80″
enableLookups=”false”
redirectPort=”8443″
maxThreads=”100″
minSpareThreads=”100″
maxSpareThreads=”100″

Changed to:
Connector port=”80″
enableLookups=”false”
redirectPort=”443″
maxThreads=”100″
minSpareThreads=”100″
maxSpareThreads=”100″

2. Setup a security constraint in the Tomcat web.xml file.
In the Tomcat web.xml file the following <security> has
to be added within the <web> element. This new element must be
added after the <servlet> element: Note: The Tomcat documentation states that https will only be redirected to the Port listed if there is a <security> listed for some path.  I found the best location to add the info is just prior to the last line in the web.xml

Place the following code just above the last line (</web>) in the web.xml file
(<application>/tomcat/conf/web.xml)

<pre><security>
<web>
<web>Application Name</web>
<url>/*</url>
</web>
<user>
<transport>CONFIDENTIAL</transport>
</user>
</security>

 
<security>
    <web>
        <web>Application Name</web>
        <url>/*</url>
    </web>
    <user>
        <transport>CONFIDENTIAL</transport>
    </user>
</security>