I am migrating my single server tomcat to a cluster, load balanced and cached by Apache HTTPD (reverse proxy with mod_proxy). Is it possible to convert the certificate and keys to the apache format or i have to re-issue the whole thing?
It's quite easy to extract the certificates directly with keytool
, it's a bit trickier to extract the private key (although you could write programs to do so). I'd suggest using a combination of keytool
and openssl
.
If your keystore is in PKCS#12 format (.p12 file), skip this step. Convert your JKS store into a PKCS12 store using keytool
(need version from Java 6+)
keytool -importkeystore -srckeystore thekeystore.jks \
-srsstoretype JKS \
-destkeystore thekeystore.p12 \
-deststoretype PKCS12
Then, extract the certificate using openssl:
openssl pkcs12 -in thekeystore.p12 -clcerts -nokeys -out servercert.pem
Extract the private key:
umask 0077
openssl pkcs12 -in thekeystore.p12 -nocerts -nodes -out serverkey.pem
umask 0022
Note that, because the -nodes
option is used when extracting the private key, the private key file won't be protected (as it mustn't have a password to be usable by Apache Httpd), so make sure no one else can read it.
Then, configure Apache Httpd using SSLCertificateFile
and SSLCertificateKeyFile
to point to the certificate file and the private key file, respectively.
I would recommend you look into nginx as the frontend load balancer. It is really simple to setup. You should be able to use the certificates you already have.
Thank you guys, it workd. More info here: http://conshell.net/wiki/index.php/Keytool_to_OpenSSL_Conversion_tips