Astonishingly, JDK‘s keytool includes the ability to generate a private key, but not the ability to [directly] import one. A workaround is to use OpenSSL‘s PKCS12 tool to create a PKCS12 “keystore” for keytool to import:
openssl pkcs12 -export -passout pass:password -in example.com.crt -inkey example.com.key -out example.com.pkcs12 -name example.com -CAfile ca_chain.crt -caname root keytool -importkeystore -deststorepass password -destkeypass password -destkeystore example.com.keystore -srckeystore example.com.pkcs12 -srcstoretype PKCS12 -srcstorepass password -alias example.com rm example.com.pkcs12 keytool -import -alias ca_chain -keystore example.com.keystore -storepass password -trustcacerts -file ca_chain.crt
This requires:
- example.com.key to contain the private key
- example.com.crt to contain the certificate
- ca_chain.crt to contain the CA’s certificate chain
This produces:
- example.com.keystore
The latter can be used in Tomcat‘s server.xml as:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="example.com.keystore" keystorePass="password" keyAlias="example.com"/>
The issues dealt with along the way included:
java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.
because I had not specified keyAlias (I think) and:
java.io.IOException: Alias name example.com does not identify a key entry
because I had the no private key in the keystore, despite having the relevant certificate.