Convert an OpenSSL (Apache) SSL Certificate to a PKCS12 (Tomcat)

I just spent a couple hours trying to figure out how to convert and OpenSSL Key/Certificate to one that can be used by Tomcat. It turned out being way more complicated than I thought, and I had to piece together instructions from various web sites. Here’s how I did it:

Convert the Key to a PKCS12 Key. This will prompt you for a password which you will need when you change the Tomcat configuration.

openssl pkcs12 -export -in /etc/apache2/ssl.crt/ -out -name “” -inkey /etc/apache2/ssl.key/

Verify that the pkcs12 file contains your key. You should be able to see your certificate’s common name, and various other parameters.

keytool -list -v -keystore -storetype pkcs12

Now configure Tomcat by editing conf/server.xml and changing the SSL Connector to something like this:

<connector port="8443" maxThreads="150" acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType= "PKCS12"

4 thoughts on “Convert an OpenSSL (Apache) SSL Certificate to a PKCS12 (Tomcat)”

  1. keytool throws and error on my system.
    keytool error (likely untranslated): Error in loading the keystore: Private key decryption error: (java.lang.SecurityException: Unsupported keysize or algorithm parameters)

    Any thoughts?


Leave a Reply

Your email address will not be published. Required fields are marked *