How to create X509 self signed certificate for use in Apache Tomcat

Question

I have a Java application that runs on Windows Mobile devices using a 3rd Party JVM. The application communicates with an Apache Tomcat server over HTTP. We have also used HTTPS for some connections and the certificates were created using the Sun keytool utility. First a keystore was created using genkey, then the certificate exported using export and finally that was imported into another keystore using import. The file created by genkey was loaded into the Apache server and the keystore created using import was loaded into the JVM on the PDA. Everything works as expected.

I am now working with a new JVM on the PDA and (for whatever reason) I have established that this JVM requires the keystore to be in X509 (DER) format. I started working on this about a month ago and had it working, but stupidly never wrote down the steps I took, and now I can't for the life of me remember what I did. I seem to remember using openssl but other than that I am totally lost. Anything I create now using openssl and try to load into Apache causes an error at startup (Invalid Keystore Format) so I am probably missing something out entirely.

Does anyone have any ideas how I should be going about creating this self-signed X509 certificate that can be loaded into Apache server and JVM running on a PDA?

UPDATE

I followed the instructions from Apache on creating the self-signed certificate:

openssl req -new -x509 -nodes -out server.crt -keyout server.key

But when I copy the key to the Apache conf directory and start up I get an exception:

java.io.IOException: invalid keystore format
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)
...

The server.xml file contains the following entry for HTTPS:

<Connector port="6969"
        protocol="HTTP/1.1"
            SSLEnabled="true"
                maxThreads="150"

                scheme="https"
                sslProtocol="TLS"
                secure="true"

                clientAuth="false"

                keystoreFile="./conf/server.key"
                keystorePass="password"

        ciphers="SSL_RSA_WITH_RC4_128_MD5"
    />

I guess the keystore needs to be a Java Keystore format?? But I need the certificate to be x509 format for the device, so I am not sure how to go about doing this?

Answer 1

If you're already following the instructions from apache, then you need to supply more details about the Invalid Keystore Format.

Answer 2

The KeyStoreBuilder utility in not-yet-commons-ssl-0.3.11.jar can convert between Apache/OpenSSL style PEM certificates and Java keystore files:

http://juliusdavies.ca/commons-ssl/utilities.html#ksb

Try running this to see the command-line option:

java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder

Answer 3

You write that the new JVM on the PDA requires the DER format. The openssl command line you are using will create PEM files by default. You can convert those server.crt and server.key PEM files to DER format using these openssl commands:

$ openssl x509 -in server.crt -outform DER -out server.crt2
$ openssl rsa -in server.key -outform DER -out server.key2

PEM files will be readable as text files, and DER files will be binary. If it's really just a difference of PEM vs. DER format, this should do the trick.