I've been fighting for three days to get my SSL certificate to work with Tomcat 7. First I'm going to give you some advice. Important advice. You must have a Private Key and a Certificate, in order to make everything work. And, both have to be in the same keystore.
What happende to me:
I installed the Certificate I received from Thawte in my keystore. That was very easy, just a simple import file and it was done. But, when I launched my Tomcat, and looked at the logs for the HTTPS [port: 443] connector intialization, I saw that something was going wrong: No Private Key found for my certificate. Then my battle started. Where the hell was my Private Key?, I had only received an email with this content:
Your certificate is:
----- BEGIN CERTIFICATE -----
....
----- END CERTIFICATE ------
So I started browsing the web and found the process of requesting a Signed Certificate from a Certification Authority.
1 ) You generate your keystore plus your private key
2 ) Create the Certificate Signing Request (CSR)
3) Submit the CSR and wait for your Certificate
I wasn't the person who did the whole process, I was just supposed to install it. I knew nothing about that private key. So today, after three days, I received the .pfx file from the people in charge of the process. When I try to open it in Windows I read the following: You have the private key that corresponds to this certificate. Eureca! It must be inside that .pfx file. So I dived into the internet and found that a .pfx file could be imported straight away into a keystore.
Here are the steps you need to follow to do a correct import:
1) Get the .pfx file with your private key inside. Double click the .pfx file and install it to your machine. Select any certificate keystore from your computer. Open Run > certmgr.msc and look for your recently installed .pfx file. Open it and look for the golden key icon followed by You have the private key that corresponds to this certificate.
2) Import the .pfx file to your keystore with the following command:
keytool -importkeystore -srckeystore file.pfx -alias keyALIAS -srcstoretype pkcs12 -destkeystore /path/to/keystore
3) If the import was correct, you must have the private key with the same password that the keystore has. You can change it with the following command:
keytool -keypasswd -alias keyALIAS -keystore ssl-keystore
Note: If you don't do this last step you will get a: java.io.IOException: Cannot recover key error.
I hope this was helpful to you. At least it was for me, and since I've been struggling with these for days, I thought I'd share it.
Cheers!
