[caption id="attachment_269" align="alignleft" width="300" caption="keys"]1180565_82303190[/caption]

Some days ago I was asked to set up a tomcat server for SSL. You'd think this is a no brainer. And it actually is when you proceed along the paved path. But if you deviate only a little, you are in big trouble. I solved the trouble I got in, and here is my story as a warning (and a helper for you).

Normally you would use the java keytool, to generate a certificate request, get that request signed by a certification authority (CA) and import it back into the the keystore. A little configuration in tomcat itself and you are done. Pretty easy.

But with the task at hand the problem was: The certificate was already there. Signed by a CA. Somewhere 'in windows'. So the first question was: where the heck is this certificate stored in windows? It is in the certificate store, which I found under

Start\All programs\Administrative  tools\Public key management

Of course the exact location will vary, depending on your Windows version and language used. Once you find the certificate store, you'll have to find the correct certificate. It should be under

Certificates (Local Computer) -> Personal -> Certificates

If you find more then one, you must identify the correct one. It should have the name of the domain you want to serve and it should have 'Intended Purposes' of 'Server Authentication'.

Now that you have found and identified the certificate to use, the question is: how do you get it into the tomcat/java keystore? Well, first you have to export it into a file. In order to do that, select the certificate. Right click on it and select

All Taks -> Export ...

Most of the screens of the following wizard can be left as they are, with one important exception: You must ensure that the private key is exported along with the certificate. Of course you need to remember the location where you store the file, and the password you use for protection.

screenshotCertificateExportWizardSee the screenshot on the side. So all that is left to do is to load that certificate into the keystore, right? Well yes. The problem is: the Java keytool doesn't support importing of private keys, and even for certificates without private key, the keytool doesn't understand the pfx format which Microsoft uses.

Fortunatly other people had the same problem before and implemented a solution: The developers of Jetty. The Jetty download contains a jar File which we can use to load the certificate. You just need the Jetty jar, e.g.


Which is contained in the normal download
and can issue the following command.

java -classpath jetty-6.1.3.jar org.mortbay.jetty.security.PKCS12Import  

obviously you'll have to replaces the pointy brackets with the file name of the exported certifcate and the keystore. Warning: I don't know what happens if the keystore already exists, I only tried it with a not existing one.

Voila your keystore is ready for use with Tomcat.

If you like this article you should also thank Chris Barber, who's article was very helpful


Wan't to meet me in person to tell me how stupid I am? You can find me at the following events: