Archives for: January 2010, 14
T*mcat and P12
14.01.10 14:31 , Kategorien: Fatwatchers It is possible to use a pkcs12 keystore for Tomcat SSL. In fact, with some parsing and conversion, pfx files can be made into pkcs12 keystores. Follow the following steps:
Assuming that you have a pfx (Personal Info Exchange) file that contains your CA-signed or self-signed certificate and your private key,
[One way of getting the pfx file could be by exporting the certificate from the Microsoft Windows Certificate Mangaement console)
1. (If you already have a pkcs12 pem file, skip #1)
openssl pkcs12 -in mypfxfile.pfx -out mypemfile.pem
2.
openssl pkcs12 -export -in mypemfile.pem -out mykeystore.p12 -name "My Certificate"
3. (To verify that the keystore exists)
keytool -v -list -keystore mykeystore.p12 -storetype pkcs12
Now, you have to tell Tomcat that it's really a pkcs12 file. Edit the SSL connector block of your server.xml:
port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
clientAuth="false"
protocol="TLS"
keystoreType= "PKCS12"
keystoreFile="mykeystore.p12"
keystorePass=yourKeystorePass/
Good luck!
