Ross Group Inc   Client Portal  |  (800) 652-4985  |  Contact   

SSL Key Conversion

Tomcat vs Apache

For Tomcat(and JBoss) you typically generate the Certificate Signing Request (CSR) using "keytool". The result of this process is two files; the CSR itself, which you ship off to a certificate authority, and a "keystore" file, which contains the CSR information and a key. The key is the private key used to decrypt the SSL traffic. This is why you always have to import the certificates into the same keystore you used to generate the CSR. Without it, there can be no guarantee that the certificate is being used by the organization that requested it. It's the keystore with the certificates and keys that you reference in Tomcat's server.xml. Example:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="${jboss.server.home.dir}/conf/certs/memberzplus.keystore" keystorePass="MZPPassword" clientAuth="false" sslProtocol="TLS" />

In Apache with OpenSSL, you use OpenSSL to generate the CSR. This creates two separate files; the CSR itself, and the key file. The key file can also have a password associated with it, which is a really bad idea. If you leave the key with a password, you will never be able to use it in Apache. When you get the certificate(s) back, you typically place them in the same directory as the key file and configure them with individual settings in httpd.conf (or ssl.conf). Example:

SSLCertificateFile conf/ssl/mzp/2011Certs/www_memberzplus_com.crt SSLCertificateKeyFile conf/ssl/mzp/2011Certs/server.key SSLCACertificateFile conf/ssl/mzp/2011Certs/TrustedSecureCertificateAuthority_3.crt

Changing Your Mind

Okay, so now that you have SSL all nicely configured in JBoss/Tomcat, you discover that you need to front it with Apache. This could be necessary for clustering, security, or the whim of a pointy-haired manager. In any case, this is a problem. Even though you have the original certificate files from your SSL provider, you don't have the key file that was placed in the keystore when you generated the CSR. You can't use the keystore in Apache, and there isn't much documentation at all on how to transition the keystore to the separate files you need in OpenSSL. But, never fear, there is a way.

Convert to PKCS12

PKCS12 is a common key format supported by both Java and OpenSSL. Therefore, the first step is to convert the keystore to PKCS12 format:

keytool -importkeystore -srckeystore memberzplus.keystore -destkeystore intermediate.p12 -deststoretype PKCS12

Extract The Key

Now that you have the keystore in PKCS12 format, you can use OpenSSL to convert it to the format required by Apache. The following command will convert the PKCS file to plain text:

openssl pkcs12 -in intermediate.p12 -out extracted.pem -nodes

Now all you have to do is open "extracted.pem" in a text editor and pull out the text starting with "BEGIN RSA PRIVATE KEY" and ending with "END RSA PRIVATE KEY". Save that to a file and reference it in the SSLCertificateKeyFile setting and you're golden. In the example above you would save the key to text file conf/ssl/mzp/2011Certs/server.key. The key will look something like this:

-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAqLoAnZVD3FIT0/YhWbEMODDOaxsxmlSokb2+R0uP4GghsmuO R/ZaZuLcVzwF1x3VU5LY3wDxt/ut3wjGg2p3jmHHgg8aiZmuRljl9nUS/ ... ... ... 8SWMdQKBgFvXKB9yyU4fFThzMW9/yG/IfBvggdtpfWS0WxBgX11k/T7te8/waQDy 8vOQ7sleVBorPNDFwx6FT/eRc4qkciM2B++kK0plqPOxzb5pJcL8MZ6Mlos2XkUJ J9YB6IbG5oY6zdjn0PKNx2eE1XmnpexfynKwaMkbEE3yZyqil9vs -----END RSA PRIVATE KEY-----

As always, if you have questions, or need more information, feel free to contact me.

Alan Moor
VP of Technology

Mr. Moor joined the team in 1996 as an experienced developer in Oracle, PL/SQL, and PowerBuilder. He has been a team lead and project manager of many high visibility projects including lead on the roll-out of our membership management software MemberzPlus to a membership organization over five million members. Mr. Moor is an Air Force Veteran with 8 years of service and served on the board of the Turner Syndrome Society. Mr. Moor has over 25 years experience in software development in a variety of technical disciplines including Oracle and Java.