SSL Key Conversion

Tomcat vs Apache

For Tomcat(and JBoss) you typically generate the Certificate Signing Request (CSR) using "keytool". The result of this process is two files; the CSR itself, which you ship off to a certificate authority, and a "keystore" file, which contains the CSR information and a key. The key is the private key used to decrypt the SSL traffic. This is why you always have to import the certificates into the same keystore you used to generate the CSR. Without it, there can be no guarantee that the certificate is being used by the organization that requested it. It's the keystore with the certificates and keys that you reference in Tomcat's server.xml. Example:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     keystoreFile="${jboss.server.home.dir}/conf/certs/memberzplus.keystore"
     keystorePass="MZPPassword" clientAuth="false" sslProtocol="TLS" />

In Apache with OpenSSL, you use OpenSSL to generate the CSR. This creates two separate files; the CSR itself, and the key file. The key file can also have a password associated with it, which is a really bad idea. If you leave the key with a password, you will never be able to use it in Apache. When you get the certificate(s) back, you typically place them in the same directory as the key file and configure them with individual settings in httpd.conf (or ssl.conf). Example:

    SSLCertificateFile    conf/ssl/mzp/2011Certs/www_memberzplus_com.crt 
    SSLCertificateKeyFile conf/ssl/mzp/2011Certs/server.key
    SSLCACertificateFile  conf/ssl/mzp/2011Certs/TrustedSecureCertificateAuthority_3.crt

Changing Your Mind

Okay, so now that you have SSL all nicely configured in JBoss/Tomcat, you discover that you need to front it with Apache. This could be necessary for clustering, security, or the whim of a pointy-haired manager. In any case, this is a problem. Even though you have the original certificate files from your SSL provider, you don't have the key file that was placed in the keystore when you generated the CSR. You can't use the keystore in Apache, and there isn't much documentation at all on how to transition the keystore to the separate files you need in OpenSSL. But, never fear, there is a way.

Convert to PKCS12

PKCS12 is a common key format supported by both Java and OpenSSL. Therefore, the first step is to convert the keystore to PKCS12 format:

keytool -importkeystore -srckeystore memberzplus.keystore -destkeystore intermediate.p12 -deststoretype PKCS12

Extract The Key

Now that you have the keystore in PKCS12 format, you can use OpenSSL to convert it to the format required by Apache. The following command will convert the PKCS file to plain text:

openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes

Now all you have to do is open "extracted.pem" in a text editor and pull out the text starting with "BEGIN RSA PRIVATE KEY" and ending with "END RSA PRIVATE KEY". Save that to a file and reference it in the SSLCertificateKeyFile setting and you're golden. In the example above you would save the key to text file conf/ssl/mzp/2011Certs/server.key. The key will look something like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqLoAnZVD3FIT0/YhWbEMODDOaxsxmlSokb2+R0uP4GghsmuO
R/ZaZuLcVzwF1x3VU5LY3wDxt/eKKFfByh2sum7UaSFcD063qayoE36HxNxnZ3eH
pxafkwg4yAbglgt15/x1iaX9nry0iQQp/ut3wjGg2p3jmHHgg8aiZmuRljl9nUS/
...
...
...
8SWMdQKBgFvXKB9yyU4fFThzMW9/yG/IfBvggdtpfWS0WxBgX11k/T7te8/waQDy
8vOQ7sleVBorPNDFwx6FT/eRc4qkciM2B++kK0plqPOxzb5pJcL8MZ6Mlos2XkUJ
J9YB6IbG5oY6zdjn0PKNx2eE1XmnpexfynKwaMkbEE3yZyqil9vs
-----END RSA PRIVATE KEY-----