How to import an existing SSL certificate for use in Tomcat
This Knowledge Base article was written specifically for the Atlassian Server platform. Due to the Functional differences in Atlassian Cloud, the contents of this article cannot be applied to Atlassian Cloud applications.
If you have an existing SSL certificate and you want to use this certificate in Tomcat you need to follow specific steps to import the certificate. This article describes these steps.
This article assumes that you have the following available in separate files:
- A private key
- A certificate belonging to the private key
- The certificate of the authority that issued the certificate
It also requires that you have OpenSSL installed on the machine where you are running the commands described.
Finally, it also assumes that you have an existing Tomcat keystore to import the certificate into.
1. Combine the private key and the certificate into a PKCS12 keystore
If you already have a PKCS12 file that contains the certificate which you want to import and the private key belonging to it, then you can skip to step 2.
The first step is to combine the private key and the certificate into a PKCS12 keystore which will be used in the second step. This is required because Java's
keytool utility does not allow you to import a private key and certificate from individual files. To do this, run the command below:
openssl pkcs12 -export -in <certfile> -inkey <keyfile> -out <keystorefile> -name tomcat -CAfile <cacertfile> -caname root
<certfile> is the path to the file that contains the certificate you wish to import,
<keyfile> is the path to the file that contains the private key that belongs to the certificate,
<keystorefile> is the path to the PKCS12 keystore you want to create (you can choose a location yourself, but the file must not exist yet), and
<cacertfile> is the path to the file that contains the certificate (chain) of the certificate authority that issued the certificate which you're trying to import.
When you execute the command you'll be asked for a password for the PKCS12 keystore. You can choose one, but for the sake of simplicity
changeit is a good option, since it is the default password that Tomcat expects. Once the command has completed executing, verify that
<keystorefile> now exists.
2. Merge the Tomcat keystore and the PKCS12 keystore to import the certificate and private key
You will now need to merge the Tomcat keystore and PCS12 keystore, which imports the certificate and private key into Tomcat's keystore. To do that, run the following command:
keytool -importkeystore -deststorepass <keystorepass> -destkeypass <keystorepass> -destkeystore <tomcatkeystorefile> -srckeystore <keystorefile> -srcstoretype PKCS12 -srcstorepass <keystorepass> -alias tomcat
<keystorepass> is the password you chose when you were prompted in step 1,
<tomcatkeystorefile> is the path to the keystore of Tomcat, and
<keystorefile> is the path to the PKCS12 keystore file created in step 1.
Once the command has completed the Tomcat keystore at
<tomcatkeystorefile> contains the certificate and private key you wanted to import. Restart your Atlassian application to make the changes effective.