Adsense 1

Wednesday, January 07, 2009

Exporting tomcat keys to Apache httpd

Apache Tomcat SSL keys created with keytool are, by default, in der format. These keys cannot be used in Apache httpd since httpd, be default, expects the keys in pem(X509) format. Using the below steps you can export the tomcat's keys to apache httpd format and use it for apache.

I assume that you already have a working copy of tomcat with SSL. You need a copy of the tomcat's keystore file and the keystore password.

Let us start....

First copy the existing tomcat's keystore file to a new directory so that we don't break anything that is working.

# mkdir /root/SSL_export/
# cp <path/to/tomcat/keystore/file> /root/SSL_export/tomcat.keystore
# cd /root/SSL_export/
# keytool -list -keystore tomcat.keystore
Enter keystore password: 

The above command will print all the keys in the keystore.

Now we will export the key in DER format
# keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
Enter keystore password: 
Output will be: Certificate stored in file

The certificate will be stored in exported-der.crt

Verify the certificate with this command:
# openssl x509 -noout -text -in exported-der.crt -inform der
Output will be: The whole certificate saying - who issued it  and other info like your company name etc.

Now Convert the key to PEM format so that apache can understand it:
# openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

The exported key will be in the file exported-pem.crt.

We have exported the public key and now are going to export the private key.

Download these files:
# wget
# wget
# mv
# javac

Below command will save the exported private key in the file it is redirected to.
# java ExportPrivateKey tomcat.keystore tomcat G10BalPass > exported-pkcs8.key

We have to change it to RSA format so that apache can recognise it.
# openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out exported.key

Private key is now exported to the file exported.key.
Download the intermediate certificate from your certificate authority and keep it in the same location.

Now we should configure apache accordingly:
# cd /etc/httpd/conf.d/
# cp ssl.conf ssl.conf.orig
# vi ssl.conf (Change the following line only after commenting the old lines):
SSLCertificateFile /root/SSL_export/exported-pem.crt
SSLCertificateKeyFile /root/SSL_export/exported.key
SSLCertificateChainFile /root/SSL_export/<intermediate.crt>

Restart apache. You must be able to browse


  1. You can condense

    # keytool -export -alias tomcat -keystore tomcat.keystore -file exported-der.crt
    # openssl x509 -out exported-pem.crt -outform pem -in exported-der.crt -inform der

    # keytool -export -rfc -keystore tomcat.keystore -alias tomcat

  2. Also, the file is not necessary. The references the sun.misc.BASE64Encoder (which is included in the JRE), and not the file your instructions list.

  3. Also, if you apply this diff to, you can use the prompt for password feature while piping the results to a file:

    # java ExportPrivateKey tomcat.keystore tomcat > exported-pkcs8.key
    (notice no password on command line, unlike your example which has G10BalPass, which I hope isn't your real password)

    --- 2009-12-01 12:39:31.000000000 -0500
    +++ 2009-12-01 12:39:07.000000000 -0500
    @@ -39,7 +39,7 @@

    protected static String getPassword() throws Exception
    - System.out.print( "Keystore Password: " );
    + System.err.print( "Keystore Password: " );
    String password = new BufferedReader(new InputStreamReader(;

    if(password == null || password.trim().equals(""))

  4. Thank you so much for these directions! I thought I would have to start over and pay those $@*! people at Thawte again. This works!

  5. Thanks for posting this! It worked like a charm for me and it's rare to find tips like this that work exactly as described considering the number of steps involved...

  6. Very good post!