How can i migrate SSL from Tomcat to Apache HTTPD?

Question

I am migrating my single server tomcat to a cluster, load balanced and cached by Apache HTTPD (reverse proxy with mod_proxy). Is it possible to convert the certificate and keys

Answer 1

It's quite easy to extract the certificates directly with keytool, it's a bit trickier to extract the private key (although you could write programs to do so). I'd suggest using a combination of keytool and openssl.

If your keystore is in PKCS#12 format (.p12 file), skip this step. Convert your JKS store into a PKCS12 store using keytool (need version from Java 6+)

keytool -importkeystore -srckeystore thekeystore.jks \
                        -srcstoretype JKS \
                        -destkeystore thekeystore.p12 \
                        -deststoretype PKCS12

Then, extract the certificate using openssl:

openssl pkcs12 -in thekeystore.p12 -clcerts -nokeys -out servercert.pem

Extract the private key:

umask 0077
openssl pkcs12 -in thekeystore.p12 -nocerts -nodes -out serverkey.pem
umask 0022

Note that, because the -nodes option is used when extracting the private key, the private key file won't be protected (as it mustn't have a password to be usable by Apache Httpd), so make sure no one else can read it.

Then, configure Apache Httpd using SSLCertificateFile and SSLCertificateKeyFile to point to the certificate file and the private key file, respectively.