Convert an OpenSSL (Apache) SSL Certificate to a PKCS12 (Tomcat)

Posted on April 21st, 2007 in General by Brandon

I just spent a couple hours trying to figure out how to convert and OpenSSL Key/Certificate to one that can be used by Tomcat. It turned out being way more complicated than I thought, and I had to piece together instructions from various web sites. Here’s how I did it:

Convert the Key to a PKCS12 Key. This will prompt you for a password which you will need when you change the Tomcat configuration.

openssl pkcs12 -export -in /etc/apache2/ssl.crt/ -out -name “” -inkey /etc/apache2/ssl.key/

Verify that the pkcs12 file contains your key. You should be able to see your certificate’s common name, and various other parameters.

keytool -list -v -keystore -storetype pkcs12

Now configure Tomcat by editing conf/server.xml and changing the SSL Connector to something like this:

<connector port="8443" maxThreads="150" acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType= "PKCS12"

4 Responses to 'Convert an OpenSSL (Apache) SSL Certificate to a PKCS12 (Tomcat)'

Subscribe to comments with RSS or TrackBack to 'Convert an OpenSSL (Apache) SSL Certificate to a PKCS12 (Tomcat)'.

  1. on March 24th, 2008 at 2:01 pm

    keytool throws and error on my system.
    keytool error (likely untranslated): Error in loading the keystore: Private key decryption error: (java.lang.SecurityException: Unsupported keysize or algorithm parameters)

    Any thoughts?


  2. Johannes Engler said,

    on August 27th, 2008 at 10:02 am

    Thx alot man,

    u saved my day.



  3. Anil said,

    on September 22nd, 2009 at 5:07 pm

    Thanks a lot this was very handy

  4. Jake said,

    on July 20th, 2011 at 11:51 am

    Oh— thank you, sir! Made my day as well.

Post a comment