Create a SSL keystore for a Tomcat server using Openssl

An SSL certificate was required for one of our customers. The SSL certificate was to be used with a Tomcat server, but I decided to give the customer the flexibility to re-use this certificate on a different webserver if needed. This meant I used openssl to generate the certificate and then created a pkcs12 keystore.

Create the private key and certificate request

Create the certificate key

openssl genrsa -des3 -out customercert.key 2048

Remove the passphrase from the key

openssl rsa -in customercert.key -out customercert.key.new
 mv customercert.key.new customercert.key

Create the Certificate request

openssl req -new -key customercert.key -out customercert.csr

Create the Keystore file for use with tomcat and keytool

I had some trouble getting this to work. This is a very simple procedure when working with certs signed by GoDaddy, but certs from Verisign needed some extra hand-holding. There is some information on how to do this is found at http://conshell.net/wiki/index.php/OpenSSL_to_Keytool_Conversion_tips.

I did not follow the instructions on this site. I ended up creating a keystore in the pkcs12 format instead of the default jks format. This site above does have instructions for converting a pkcs12 keystore to a jks format, if you require.

The signed certificate was downloaded to clients.adaptivetcr.com.cer. The Secure Site with EV Root bundle was downloaded to intermediate.crt. When I first attempted to create the keystore file, I received the error below

openssl pkcs12 -export -chain -CAfile intermediate.crt -in customercert.cer \ 
    -inkey customercert.key -out customercert.keystore -name tomcat -passout pass:changeit\ 
    
Error unable to get issuer certificate getting chain.

Now the interesting thing about this error is that if you attempt a openssl verify using both cert file and intermediate.crt, it does not complain and gives the “OK” message. After a bit of testing, I found that you need to make a new CAfile to be used, that combines the cacerts file from the openssl distribution and the intermediate.crt file.

cat intermediate.crt /etc/ssl/certs/ca-certificates.crt > allcacerts.crt
openssl pkcs12 -export -chain -CAfile allcacerts.crt -in customercert.cer \
    -inkey customercert.key -out customercert.keystore -name tomcat -passout \
    pass:changeit

This successfully created the keystore file. You can look at the contents of the keystore by running

keytool -list -keystore customercert.keystore -storetype pkcs12 -v