I am using https://zerossl.com for the certificate, they provide me these files:
- ca_bundle.crt
- certficate.crt
- private.key
Then I run these commands
To generate a p12 file
openssl pkcs12 -export -in certificate.crt -inkey private.key -out keystore.p12 -name tomcat -CAfile ca_bundle.crt -caname root -chain
To generate the JKS file
keytool -importkeystore -srckeystore certifcate.p12 -srcstoretype pkcs12 -destkeystore mykeystore.jks -deststoretype pkcs12
Then I edit my /opt/tomcat/conf/server.xml
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/path/to/your/keystore.jks" keystorePass="your_keystore_password"
keyAlias="tomcat" keyPass="your_key_password"
clientAuth="false" sslProtocol="TLS" />
I'm not sure why the SSL certificate is not working. I would appreciate if someone tells me if I am missing something.
So you are doing too much. You don't need to convert the key into JKS keystore. JKS was Java's original keystore format that was a propriety format. Since that time PKCS12 has emerged and Java finally supports that so I'd recommend just using your p12 files, and configuring tomcat to read PKCS12 instead of trying to use JKS.
But, for a quick answer you're conversion routine from PKCS12 -> JKS isn't saving a JKS file.
-deststoretype pkcs12should be-deststoretype JKSHowever, we're going to do it for PKCS12 because that is the "future". Technically Tomcat has had PKCS12 support since 5.0, but future is the saying.Anyway here is how you can use the P12 cert in your setup in Tomcat.