SSL Key Conversion
Tomcat vs Apache
For Tomcat(and JBoss) you typically generate the Certificate Signing Request (CSR) using "keytool". The result of this process is two files; the CSR itself, which you ship off to a certificate authority, and a "keystore" file, which contains the CSR information and a key. The key is the private key used to decrypt the SSL traffic. This is why you always have to import the certificates into the same keystore you used to generate the CSR. Without it, there can be no guarantee that the certificate is being used by the organization that requested it. It's the keystore with the certificates and keys that you reference in Tomcat's server.xml. Example:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystorePass="MZPPassword" clientAuth="false" sslProtocol="TLS" />
In Apache with OpenSSL, you use OpenSSL to generate the CSR. This creates two separate files; the CSR itself, and the key file. The key file can also have a password associated with it, which is a really bad idea. If you leave the key with a password, you will never be able to use it in Apache. When you get the certificate(s) back, you typically place them in the same directory as the key file and configure them with individual settings in httpd.conf (or ssl.conf). Example:
Changing Your Mind
Okay, so now that you have SSL all nicely configured in JBoss/Tomcat, you discover that you need to front it with Apache. This could be necessary for clustering, security, or the whim of a pointy-haired manager. In any case, this is a problem. Even though you have the original certificate files from your SSL provider, you don't have the key file that was placed in the keystore when you generated the CSR. You can't use the keystore in Apache, and there isn't much documentation at all on how to transition the keystore to the separate files you need in OpenSSL. But, never fear, there is a way.
Convert to PKCS12
PKCS12 is a common key format supported by both Java and OpenSSL. Therefore, the first step is to convert the keystore to PKCS12 format:
keytool -importkeystore -srckeystore memberzplus.keystore -destkeystore intermediate.p12 -deststoretype PKCS12
Extract The Key
Now that you have the keystore in PKCS12 format, you can use OpenSSL to convert it to the format required by Apache. The following command will convert the PKCS file to plain text:
openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes
Now all you have to do is open "extracted.pem" in a text editor and pull out the text starting with "BEGIN RSA PRIVATE KEY" and ending with "END RSA PRIVATE KEY". Save that to a file and reference it in the SSLCertificateKeyFile setting and you're golden. In the example above you would save the key to text file conf/ssl/mzp/2011Certs/server.key. The key will look something like this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
As always, if you have questions, or need more information, feel free to contact me.