Importing an Existing SSL Certificate and Private Key to Tomcat

To import an existing SSL certificate and private key to Tomcat, do the following:

  1. Convert the certificate and private key to a PKCS12 file

    You cannot directly import private key information to a keystore using keytool. You must convert the certificate and private key into a PKCS12 (.p12) file, and then you can import the PKCS12 file to your keystore.

    Run the following command:

    openssl pkcs12 -export -in [filename-certificate] -inkey [filename-key] -name [host] -out [filename-new-PKCS-12.p12]
  2. Import the certificate to your keystore

    1. Import the PKCS12 certificate by executing the following command:

      keytool -importkeystore -deststorepass [password] -destkeystore [filename-new-keystore.jks] -srckeystore [filename-new-PKCS-12.p12] -srcstoretype PKCS12

      where the [password] is the password you specified when you created the private key.

    2. Run one of the following commands:

      • If you have a CA bundle file, import it by running the following command:

        keytool -import -alias bundle -trustcacerts -file [ca_bundle] -keystore [filename-new-keystore.jks]
      • If you do not have a CA bundle file, import certificates by running the following command:

        keytool -import -alias [certificate-type] -trustcacerts -file [certificate-file] -keystore [filename-new-keystore.jks]

        where the [certificate-type] is the type of certificate, for example, root or intermediate.

  3. Configure PPM.

    1. In the server.conf file, add the following parameters:

      #turn on SSL login 
      #if you use http_port 8080 then https_port will be set to 8443. Please verify if your IIS is using port 443, otherwise you have to choose either stop IIS or use a different http_port and https_port here
      #keystore file physical location on PPM machine created from step 2-a
      #Encrypted keypassword. By default it is changeit, and you need to run to encrypt this password. Each PPM instance has its own encryption content. 
      com.kintana.core.server.HTTPS_KEYPASSWORD=#!#7w:x?vv=MdXJ}2&bJbrykTMY3FI>R1{<+Kw^fjN=hjw8hz2HrTd_X8w+~|Tx19ZiO_oS }rpTHSX(B@)LM{A~c~M<N9GVw,2jLOf(e=WZNbLo)xarUny.mKp|p{ +1LySpZS flrG{v3&:?k8|<y.y0 b`Kp|G/`s^q.GR|4?s}&jD$rtamfkqZr?$UT-#!#
    2. Modify the following parameters:

      #if your IIS on the same PPM machine has to use port 443, then you must change PPM http_port to something else other than 8080 and also update https_port parameter
      #the domain name must match the name that you specified when you created the private key
    3. Save the file.

    4. Stop PPM Server and run kUpdateHtml.

    5. Start PPM Server and test the login using BASE_URL such as