How to Move SSL certificate from Apache to Tomcat

https://www.sslsupportdesk.com/how-to-move-ssl-certificate-from-apache-to-tomcat/

Apache uses x509 pem/crt  files which is  is very different than a Tomcat system that uses keystores. You will follow these steps to copy, convert, and move the working Apache certificate to the Tomcat server.

Both Apache and Tomcat are very customizable. The directory location and naming of the individual files needed vary depending on your personalized system. Below are generalized instructions.

We will start by assuming that you have already successfully installed the SSL certificate on the Apache web server.

Step 1: Finding/converting your SSL certificate and key file on Apache:

1. Referencing the httpd.conf or ssl.conf file on the Apache system look for the location and directories of the three files necessary.
   • SSLCertificateFile /usr/local/ssl/crt/public.crt  
     SSLCertificateFile tells Apache how to find the the SSL certificate file.
   • SSLCertificateKeyFile /usr/local/ssl/private/private.key
     SSLCertificateKeyFile tells Apache how to find the private key file.
   • SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
     SSLCertificateChainFile or SSLCACertificateFile tells Apache the location of the Intermediate file.
2. Copy the three files located within these directories into one location.
3. Using OpenSSL on the Apache system you will perform the following command line conversion.
   Note: you will be prompted for a password.openssl
   pkcs12 -export -in public.crt -inkey private.key -out mycert.p12 -name
   tomcat -CAfile intermediate.crt -caname intermediate -chain
4. The exported keystore will be ‘mycert.p12‘ and will be ready for you to migrate to the Tomcat server.

Step 2: Configuring SSL in Tomcat with your keystore:

1. On the Tomcat server search and open the Tomcat server.xml file.
2. Open the server.xml config file using a text editor (ie. JAKARTA_HOME/conf/server.xml)
   Search for the secure element in your config file (try searching
   for SSL Connector). By default it should look something like this:

   

3. Change the following attributes to reference the location, name, and password of your keystore.
   • keystoreFile=”c:\PATH TO mycert.p12”
   • keystorePass=”password of mycert.p12”
4. Add The following line under KeystorePass=
   • keystoreType=”PKCS12″
5. Save the changes.
6. Stop and Start Tomcat.Your SSL Certificate/Keystore is now installed, and the website is now configured.

Note: PKCS12 keystore type is only supported with Tomcat JDK 1.5.x+

If unsuccessful you will have to
convert your  mycert.p12 file to a .jks file by performing the following
command line in Tomcat using keytool.

keytool -importkeystore -srckeystore mycert.p12 -srcstoretype PKCS12 -destkeystore mycert.jks

If this fails and you cannot get
Tomcat to use the Apache converted keystore you will need to generate a
new keystore and CSR from the Tomcat System and reissue your certificate
to be used on the Tomcat system.

Tomcat Support

For more information refer to Tomcat