Page tree
Skip to end of metadata
Go to start of metadata


Generate the signed certificate as in Get an SSL Certificate from Informatik Dienste


Put everything in a pkcs12 container

The private key and the keystore must have the same password

$ HOST=""
$ cat $HOST.crt ../qvsslica.pem > $HOST.chain
$ openssl pkcs12 -export -inkey $HOST.key -in $HOST.chain -out $HOST.pkcs12

This will create a pkcs12 format file with the cert and the key. Make sure you remember the password. Use "changeit" for the password if you want the tomcat default.

Next, import the file into a jks (java keystore) format file.

$ keytool -importkeystore -destalias tomcat -destkeystore $HOST.keystore -srckeystore $HOST.pkcs12 -srcstoretype PKCS12 -alias 1

The file $HOST.keystore can either be configured in $TOMCAT_HOME/conf/server.xml or stored directly in the tomcat users $HOME/.keystore


To remove the pass phrase on an RSA private key:

openssl rsa -in key.pem -out keyout.pem

To encrypt a private key using triple DES:

openssl rsa -in key.pem -des3 -out keyout.pem

To convert a private key from PEM to DER format:

openssl rsa -in key.pem -outform DER -out keyout.der

To print out the components of a private key to standard output:

openssl rsa -in key.pem -text -noout

To just output the public part of a private key:

openssl rsa -in key.pem -pubout -out pubkey.pem