If you’ve exported your IIS certificate to use on another Windows server no big deal, right? Have you ever tried to use that same exported wildcard certification on a Tomcat server? In this post I will try to piece together the steps I used to get my exported certificate working on Tomcat.
Exporting the SSL Certificate from IIS (you can skip these steps if you’ve already created the .pfx)
First we need to export the SSL Cert from IIS into pfx format
Open the search window or open powershell and type in mmc and hit enter
From the Microsoft Management Console (MMC), click File then Add/Remove Snap-in
Choose Certificates and click Add
Choose Computer Account then Next
Leave Computer as Local computer and choose Finish
Now hit OKNow that we have the console setup for viewing certificates let’s open the cert we need to export.
Under our Certificates (Local Computer) open Personal then Certificates
Find the wildcard ssl certificate you want to export and Right mouse-click the certificate
Choose All Tasks then Export…
Next
Choose Yes, export the private key
Next
Leave default Personal Information Exchange - PKCS #12 (.PFX)
Also make sure Include all certificates in the certification path if possible is checked
Next
The Security screen allows you to specify the password for the key.
Choose the Password checkbox and type in a password and confirm (make sure you don’t forget this password. You’ll need it later)
Next
Specify a filename for the exported key and leave the format .pfx
Save
Next
Finish
You’ve just completed the hardest part. Now all we have to do is include the new key in one of Tomcat’s xml files. From here we’ll need to copy the newly created pfx file to the server where we have tomcat running then modify the server.xml file under the tomcat folder.
Using new pfx certificate with Tomcat
Copy newly created pfx key to a place we have access on the Tomcat server, but isn’t publicly accessible.
example: c:\mycerts\myexportedcert.pfx
Find the server.xml file for your webserver. (Mine is located under c:\Program Files\Apache Software Foundation\Tomcat9\conf)
Make a copy of Server.xml before you edit the original (just in case!)
Open Server.xml in notepad or another editing program
Look for the section that looks like this:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" />
Change it to look like this:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:\mycerts\yourcertname.pfx"
keystoreType="PKCS12"
keystorePass="your_password" />
If you have a requirement to use a jks key you can convert the pfx key (optional)
In order to convert the exported pfx key to jks format we need to use the java keytool command.
Locate keytool.exe (mine was located in c:\program files\Java\jre\bin)
Run the following command:
"c:\program files\java\jre\bin\keytool.exe" -importkeystore -srckeystore c:\mycerts\yourcertname.pfx -destkeystore c:\mycerts\newkeyname.jks
You’ll be prompted for a new keystore password for the jks file.
After you’ve entered the new keystore password you’ll be required to enter the password for the existing pfx file (hope you remembered it!)
Now you can replace the pfx file with your new jks in the Connector section of the Server.xml file:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="c:\mycerts\yourcertname.jks"
keystoreType="PKCS12"
keystorePass="your_password" />
In this post we exported the existing wildcard SSL certification, copied it over to our Tomcat server and used it in our Server.xml config file. We also went through the steps to convert our pfx to a jks in the event your config does not allow pfx format.
Good luck and let me know if this helped.