Move/Copy SSL Certificate from Tomcat/Java Server to OpenSSL
Moving an SSL certificate from Tomcat or Java Server to OpenSSL requires specific steps to ensure security and functionality. The SSL certificate transfer process between these server environments needs proper file format conversion and key handling.
System administrators can complete this migration by converting the Java KeyStore (JKS) format to PEM format, which OpenSSL uses. This guide explains the essential commands and procedures to extract your SSL certificate, convert it to the correct format, and configure it in OpenSSL.
You will learn how to maintain certificate integrity during the transfer, verify the certificate details, and ensure proper implementation in your new OpenSSL environment.
A Step-by-Step Guide to Migrate/Copy SSL Certificate From Tomcat to OpenSSL
Here is a step-by-step guide to migrating your SSL certificate from Tomcat to OpenSSL.
- Export the certificate and private key from the Tomcat server
- Convert the certificate and private key into a format compatible with OpenSSL
- Install the OpenSSL toolkit on the new server
- Import the certificate and private key into OpenSSL
- Configure OpenSSL and the new server to use the imported certificate
Step 1: Export the Certificate and Private Key from Tomcat
The first step is exporting the SSL certificate and associated private key from the Tomcat server.
Here is how to do this:
- Log into the Tomcat server and navigate to the folder containing the certificate files (usually named /etc/pki/tls/certs).
- Locate the certificate file (ends with .crt or .pem) and the private key file (ends with .key).
- Open the certificate file and copy/paste its contents into a new file named certificate.crt.
- Open the private key file and copy/paste its contents into a new file named private.key.
- Double-check that the full certificate and private key are exported into the two new files.
- Transfer the new certificate.crt and private.key files securely to the new OpenSSL server.
This exports Tomcat’s certificate data and private key into two standard PEM-encoded files compatible with OpenSSL.
Step 2: Convert Formats (if needed)
OpenSSL generally accepts the PEM-encoded certificate and key files we exported from Tomcat. However, occasionally, conversion to a different format is beneficial.
For example, you can convert the private key into a PKCS#8 format so OpenSSL can integrate it more easily.
Here are some potential conversions to consider:
- Convert a private key to PKCS#8: openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private.key -out pkcs8.key
- Convert the certificate to DER: openssl x509 -outform der -in certificate.crt -out certificate.der
Run any required conversion commands on the certificate and private key files. Then, if needed, you can import the converted versions into OpenSSL instead of the original PEM files.
Step 3: Install OpenSSL (if needed)
If the new server does not already have OpenSSL installed, you must install it before proceeding.
Most Linux distributions have OpenSSL available in their package repositories. Just run the appropriate installer command for your distro:
- Ubuntu/Debian: sudo apt install openssl
- RHEL/CentOS: sudo yum install openssl
- Arch Linux: sudo pacman -S openssl
This will install the OpenSSL certificate management tools needed to complete the migration.
Step 4: Import the Certificate and Key into OpenSSL
With OpenSSL installed, we can import the certificate and private key. This will install them into OpenSSL for use on the new server.
OpenSSL Commands to Import the certificate:
openssl x509 -inform PEM -in certificate.crt -out certificate.pem
openssl x509 -inform PEM -in certificate.pem -out certificate.crt
cp certificate.crt /etc/ssl/certs/
OpenSSL Command to Import the private key:
openssl rsa -inform PEM -outform PEM -in private.key -check -out private.key
chmod 600 private.key
mv private.key /etc/ssl/private/
This installs the certificate into /etc/ssl/certs/ and the private key into /etc/ssl/private/, where OpenSSL will look for them by default.
Double-check that the files were imported correctly by OpenSSL:
openssl x509 -in /etc/ssl/certs/certificate.crt -text -noout
openssl rsa -in /etc/ssl/private/private.key -check
The certificates and keys are ready for use on the new OpenSSL server.
Step 5: Configure the Server to Use OpenSSL
Finally, we must configure the new server to use OpenSSL instead of Tomcat to handle SSL encryption.
For an Apache Web Server
If migrating the certificate to use with Apache, make sure Apache is installed with the OpenSSL module rather than NSS:
- Ubuntu/Debian: sudo apt install apache2 libapache2-mod-ssl
- RHEL/CentOS: sudo yum install httpd mod_ssl
Then, update the Apache SSL configuration file at /etc/httpd/conf.d/ssl.conf (CentOS/RHEL path may differ) to point to the new certificate and key:
SSLCertificateFile /etc/ssl/certs/certificate.crt
SSLCertificateKeyFile /etc/ssl/private/private.key
Restart Apache to apply the changes:
sudo systemctl restart apache2
Apache will now provide encryption using the migrated OpenSSL certificate.
For Nginx Web Server
To configure Nginx to use the migrated certificate:
- Install Nginx with OpenSSL support if needed: sudo apt install nginx openssl
- Update the Nginx server block to reference the new certificate and key:
server { listen 443 ssl; server_name www.example.com; ssl_certificate /etc/ssl/certs/certificate.crt; ssl_certificate_key /etc/ssl/private/private.key; # Other server settings }
- Reload the Nginx config: sudo systemctl reload nginx
Nginx will now serve the domain over HTTPS using the OpenSSL certificate.
For Other Processes
Any other application or process needing HTTPS support can call the OpenSSL nginx command and reference the new certificate and key files. Consult the application’s documentation for details.
Final Thoughts
Migrating an SSL certificate from Tomcat to OpenSSL requires carefully exporting certificates and keys, converting formats, installing OpenSSL, importing the credentials, and properly configuring the new server. Follow the steps in this guide, and you can successfully move your certificate between Java-based and OpenSSL-based systems.
Your application will maintain its secure HTTPS access, which is now powered by OpenSSL instead of Tomcat. The certificate migration allows you to deploy the certificate across diverse environments and avoid vendor lock-in.
Frequently Asked Questions (FAQs)
Here are some common questions people have about migrating Tomcat SSL certificates to OpenSSL:
Can I export an SSL certificate from a live Tomcat server without downtime?
Yes, you can safely export the certificate and key from a live Tomcat server without disrupting the running service. The export process reads the files without modifying them or impacting Tomcat’s operations.
What OpenSSL toolkit version is needed to import the Tomcat certificate?
Most modern OpenSSL versions (1.0.1+) should support importing the Tomcat PEM-encoded certificate and key. OpenSSL 1.0.2 or newer is recommended for the latest standards support.
Does the order of the certificate/key matter during import to OpenSSL?
No, OpenSSL will automatically detect the certificate versus private key format regardless of their order. You can import the certificate first, then the key, or vice versa.
Can I install the exported certificate on multiple OpenSSL servers?
Yes, the beauty of OpenSSL is you can install the same certificate on multiple servers. Repeat the import process on each new server on which you wish to install the certificate.
What is the benefit of converting the key to PKCS#8 format before importing to OpenSSL?
Converting to PKCS#8 ensures maximum compatibility with OpenSSL and other systems since PKCS#8 is an industry standard. It also encrypts the private key with a passphrase for extra security.
Does migrating my certificate affect the SEO or rankings of my site in any way?
No, migrating your SSL certificate between Tomcat and OpenSSL does not directly impact SEO or search engine rankings. If your site remains on HTTPS, any effects should be negligible.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.