Import Existing SSL Certifcate Chain into Java Keystore for use in Teaming

SSL Tomcat Keystore Wildcard CertificateΒΆ

If you are planning on installing the existing SSL Certificate to tomcat it is not as simple as one had hoped. The instructions provided below is a summary of what finally worked after many hours of trial and error. The instructions below are specific to Kablink Teaming but any existing pem certificate import into a java keystore can be applied.

Prepare the Existing PEM Certificates

In order to properly import the certificates we will need to edit and then concatenate the certificate chain files. For the purposes of this example we will use Wildcard.crt, Wildcard-bundle.crt, and Wildcard.key as the file names.

cd /path/to/crt/files/
vi Wildcard.crt                # Remove any extra lines outside of ----BEGIN CERTIFICATE ---- and -----END CERTIFICATE------
vi Wildcard-bundle.crt         # Remove any extra lines outside of ----BEGIN CERTIFICATE ---- and -----END CERTIFICATE------
cp Wildcard.crt Wildcard.master.crt.pem
cat Wildcard-bundle.crt >> Wildcard.master.crt.pem
cd /path/to/key/file/
cp Wildcard.key Wildcard.master.key.pem

Now that we have prepared the files you will be using Wildcard.master.crt.pem and Wildcard.master.key.pem for the remaining steps

Acquire the KeyTool IUI

The following link has both a standalone application as well as a Java WebStart application available to create a new keystore. Please visit the link and choose your preferred method of running the application.

http://yellowcat1.free.fr/index_ktl.html

Creating the Keystore using KeyTool IUI

For the next part of the discussion I am going to assume that you have placed both .pem files from above as well as the extracted KeyTool IUI into a folder.

# cd /path/to/folder/ktl241sta
# run_ktl.sh

Once the application has started follow the remaining steps.

  1. Click on View->Select Task->Create->Keystore
  2. Make sure that JKS is selected and then click on the Save icon next to Keystore file
  3. Navigate to the folder you want to save the keystore to and give it a name.
  4. Click on the Keystore password button and enter in "changeit" without the quotes (This password applies to Teaming).
  5. Click on OK
  6. Click on View->Select Task->Import->Keystore's Entry->Private Key->PEM File format
  7. For Private key file use the Wildcard.master.key.pem file you created.
  8. For Certificate chain file use the Wildcard.master.crt.pem file you created.
  9. Select the Keystore file you created above
  10. Enter in the Keystore password of "changeit" without the quotes (Again, we set this as the password for use with Teaming).
  11. Click on OK
  12. Enter in the new private key entry's alias and make it "tomcat" without the quotes (Teaming recommendation).
  13. Enter in the password of "changeit" (Teaming requirement).
  14. Click on OK
  15. If you chose to view the entry you can right click on the tomcat aliast and choose view certificate to see the details.
  16. Close the application and proceed to the next step.

If you want to check the keystore file you can run the following command and use the password of "changeit" without the quotes

keytool -list -v -keystore keystore.jks

The final stage of instructions only applies to Kablink Teaming. If you have a different application you should review its documentation for details on where to install the keystore

# cd /opt/novell/teaming/apache-tomcat-6.0.18/conf/
# cp -a .keystore .keystore.bak
# cp -a /path/to/keystore/created ./.keystore
# chmod 750 .keystore
# rcteaming restart; tail -f /opt/novell/teaming/apache-tomcat-6.0.18/logs/catalina.out

Hopefully you do not see any errors while the server is starting up. Once the server has booted check to make sure that the SSL service is reachable.

Here are some helpful links and tips on keytool.

List existing certificates in keystore

keytool -list -v -keystore .keystore

Change the keystore password

keytool -storepasswd -new changeit -keystore .keystore

Helpful (sort of) Links:
Tomcat SSL Howto
Teaming SSL Certificate Howto
Common Java Keytool Commands

Other links I reveiwed that may be of help to others:
http://community.kablink.org/ssf/a/do?p_name=ss_forum&p_action=1&binderId=103&action=view_folder_entry&entryId=3801
http://www.agentbob.info/agentbob/79-AB.html
http://wiki.eclipse.org/Generating_a_Private_Key_and_a_Keystore
http://stackoverflow.com/questions/906402/importing-an-existing-x509-certificate-and-private-key-in-java-keystore-to-use-in
http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html

2 thoughts on “Import Existing SSL Certifcate Chain into Java Keystore for use in Teaming

Leave a Reply