Aug 13 2007
Tomcat & SSL
Tomcat has quite a good page in its documentation about getting SSL working and it does a reasonable job describing how to generate a self-signed cert. However, when it comes to what must be a fairly common use case of importing an existing key/certificate pair into a keystore it avoids the subject with phrases like: “For more advanced cases, consult the OpenSSL documententation.”
The problem is really java’s keytool. It does a good job generating self-signed certs, importing existing certificates you want to trust or importing a certificate received from a CSR generated by keytool. But when it comes to importing both the certificate and key into a keystore things get a little messier. For example, say you already have a certificate you are using on your apache web server and you now want to use it in your Tomcat server. You might think you can do something like:
keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>
but that just won’t work. It turns out the only way to import an existing key/certificate pair is to do it programatically. Get the details on my wiki.
Oh, another thing to watch out for is to make sure you always use the genuine Sun Java keytool. The thing that comes with gcj and is probably first in your $PATH will only make you cry.
