<< Ruzzle - neat cheat | Home | Just released: lz-string >>

Tomcat, Java and https

So I recently acquired a free https certificate from StartSSL. All well and good, this was fairly easy. Now, I have 4 files at my disposal:

ca.pem pk.mydomain.com ssl.crt sub.class1.server.ca.pem

At that stage I'm fine. I'm about to configure https and will go on with my life. As it turned out, things aren't exactly going to turn out that way.

Tomcat needs a keystore. None of those files will make the trick of course, but none of the stupid attempts I was about to try made it any more. It's not about just throwing the three certs in a keystore. Oh no, it's a bit more than that.

As usual, Stackoverflow bootstrapped me in the right direction.

openssl rsa -in pk.mydomain.com -out out/ssl.key cat sub.class1.server.ca.pem ca.pem > out/intcacerts.pem openssl pkcs12 -export -in ssl.crt -inkey out/ssl.key -certfile out/intcacerts.pem -name "mydomain" -out out/keyandcerts.p12
And that's it. Now, in the server.xml you would find the following:
... keystoreFile="/path/to/my/keystore/file/keyandcerts.p12" keystoreType="PKCS12" ...
And that's all. If you have several domain names running on your Tomcat instance, you need a certificate that will accommodate them all, because to this day, Tomcat cannot use a different certificate for different hosts.
Tags : , , ,