this is obsolete doc -- see instead

OpenSSL notes 


Creating a certificate request for Tomcat 

Note. This can be done as user, in the tomcat configuration folder, you don't have to be root. 


Create a java-tomcat keystore, 

  mkdir newcert/ 

  cd newcert/ 

keytool -keysize 2048 -genkeypair -alias tomcat -keyalg RSA -keystore keystore.jks 

Enter keystore password: PASSWORD 

Re-enter new password: PASSWORD 

What is your first and last name? 

[Unknown]: * 

What is the name of your organizational unit? 

[Unknown]: unit 

What is the name of your organization? 

[Unknown]: company 

What is the name of your City or Locality? 

[Unknown]: city 

What is the name of your State or Province? 

[Unknown]: region 

What is the two-letter country code for this unit? 

[Unknown]: FR 

Is CN=*, OU=unit, O=company, L=city, ST=region, C=FR correct? 

[no]: yes 


Enter key password for <tomcat

(RETURN if same as keystore password): return 

Note. -genkey renamed to -genkeypair 


Generate a tomcat certificate request, 

keytool -certreq -keyalg RSA -alias tomcat -file rapidssl.csr -keystore keystore.jks -sigalg SHA1withRSA 

Note. -sigalg SHA1withRSA is not required for GoDaddy but for RapidSSL/Trustico 


You can then check your java keystore when ever you want, 

  keytool -v -list -keystore keystore.jks -storepass PASSWORD 


Note. you can rename the keystore.jks file afterwards. 




Enabling the signed certificate in the keystore 

Once acquired the CA will send you two keys, their own cert and your signed one. 


First, import the Certificate Authority into the keystore, 

  keytool -import -trustcacerts -alias root -file Issuing_CA.crt -keystore svrkeystore.jks 


Then, import your signed certificate, 

  keytool -import -trustcacerts -alias tomcat -file server.crt -keystore svrkeystore.jks 


Ref. NIMS-SysAdmin_V4.2_v1.00.pdf 


Converting a Tomcat SSL certificate to Apache 

You need openssl and the keytool tool, 

  apt-get install openssl openjdk-7-jdk 


Convert the keystore, 

  keytool -importkeystore -srckeystore svrkeystore.jks -destkeystore svrkeystore-convert.jks -deststoretype PKCS12 -srcstorepass PASSWORD -deststorepass PASSWORD -srcalias tomcat -destalias tomcat -noprompt 

  ls -l svrkeystore-convert.jks 

Note. if you need to change the passphrase, add -srckeypass [original_alias_password] -destkeypass [new_password]. But it needs to be 6 characters long for the keystore so we will eventually remove it after the PEM has been extracted. 


Extract the PKCS12 private key for apache, 

  openssl pkcs12 -in svrkeystore-convert.jks -nocerts -out privatekey.pem 

Enter Import Password: (keystore password) 

Enter PEM pass phrase: (tomcat alias passphrase in the keystore) 


  cat privatekey.pem 


Extract the PKCS12 public key for apache, 

  openssl pkcs12 -in svrkeystore-convert.jks -clcerts -nokeys -out publicCert.pem 


  cat publicCert.pem 


Remove the passphrase so you can restart apache with no passphrase, 

  openssl rsa -in privatekey.pem -out privatekey.nopass.pem 



How to move an SSL certificate from Tomcat to Apache: 

Outils pratiques pour certificats SSL Convertir votre Certificat SSL: 

Remove the passphrase from an existing OpenSSL key file: 


Self-signed certificate 

Create a self-signed certificate, 

mkdir ssl/ 

cd ssl/ 

openssl genrsa -rand -genkey -out cert.key 2048 

cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist 

vi /etc/ssl/openssl.cnf 

dir = ./certs 

default_days = 3650 

default_bits = 2048 

countryName_default = FR 

stateOrProvinceName_default = IDF 

localityName_default = Paris 

#0.organizationName_default = 

openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256 

Country Name (2 letter code) [FR]: 

State or Province Name (full name) [IDF]: 

Locality Name (eg, city) [Paris]: 

Organization Name (eg, company) []:YOUR_COMPANY 

Organizational Unit Name (eg, section) []: 

Common Name (e.g. server FQDN or YOUR name) [] 

Email Address [] 



Creating a self-signed certificate (old doc) 

Deploy the OpenSSL configuration example (NetBSD path), 

  cd /etc/openssl/ 

  cp /usr/share/examples/openssl/openssl.cnf . 


Generate the private key, 

  cd /etc/openssl/ 

  openssl genrsa -des3 -out server.key 1024 

Note. passphrase will be removed afterwards 


Generate a Certificate Signing Request, 

  cd /etc/openssl/ 

  openssl req -new -key server.key -out server.csr 

Note. at the end, challenge password : empty 

Note. at the end, optional company name : empty 


Remove Passphrase from Key, 

mv server.key server.key.pass 

openssl rsa -in server.key.pass -out server.key 


Generate the self-signed certificate, 

  openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 


You now got those available!