SSL certificates and Apache Tomcat

Posted by MyTimeTable Team

Apache Tomcat offers two options for SSL: Java (JSSE) and APR (OpenSSL). Both options require their own set of keys and certificates, and have their own advantages and disadvantages. JSSE generally uses a JKS (Java) keystore (although a PKCS11 or PKCS12 keystore is also possible), whereas the OpenSSL option uses a PEM encoded key and certificate. Performance of the OpenSSL/APR connector is better (more on that later in another post), but the default Java connector is easier to setup (since it is enabled out of the box).

Since I always seem to forgot the exact command lines to create a key, CSR and self-signed certificate, I thought it would be nice to make a blog post summing up all the options.

In this post, keytool refers to the keytool program available in your Java JRE or JDK in the bin directory. The other option, openssl, is available either from the binary compile of the Tomcat Native connector (Windows), or from your usual OpenSSL install (Linux, BSD, etc.).

To create a key and certificate in JKS format, by default self-signed:

keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore keystore.jks


Note the ‘first and last name’ asked by keytool refers to the Common Name and should be your domain name (FQDN).

To create a signing request (CSR) for the generated certificate:

keytool -certreq -alias tomcat -file signing_req.csr -keystore keystore.jks


Give this to your SSL provider to get a signed, browser-trusted key.

To import the signed key into the keychain, including the keychain of intermediate certificates (if required), put all the certificates in 1 file (first the chain, then your certicate), and import them into the keychain:

keytool -import -alias tomcat -file certificate.pem -keystore keystore.jks


Now you should be able to use the keystore in your Tomcat install with the default connector.

To generate a PEM encoded private key, for use with the APR/OpenSSL connector:

openssl genrsa -des3 -out key.pem 2048


To generate a self-signed certificate for a key:

openssl req -new -x509 -key key.pem -out cert.pem -days 3650


To generate a certificate signing request (CSR):

openssl req -new -key key.pem -out cert.csr


The resulting certificate and chain you get from your SSL provider is usually already in PEM format, and can be used directly without extra imports.

What if we want to switch from JSSE to OpenSSL (from JKS to PEM)? We have to convert the keystore to PKCS12 format using keytool, and then extract the key, certificate and chain in PEM format using OpenSSL:

keytool -importkeystore -srckeystore keystore.jks -destkeystore intermediate.p12 -deststoretype PKCS12
openssl pkcs12 -in intermediate.p12 -nocerts -out key.pem
openssl pkcs12 -in intermediate.p12 -clcerts -out cert.pem
openssl pkcs12 -in intermediate.p12 -cacerts -out chain.pem


I did not include any -nodes option in any of the commands, because usually it doesn’t hurt to have your private key encrypted (you just have to enter the same password in the Tomcat config). About that Tomcat config, here are the required Connector elements for JSSE and OpenSSL/APR based config:


LinkedIn Twitter