how to use existing certificate in https
You could refer to the certificate if it is in a keystore:
Here’s some old configuration of mine from a previous Play version:
play.server.https.keyStore.path=${?KEYSTORE_PATH}
play.server.https.keyStore.type=${?KEYSTORE_TYPE}
play.server.https.keyStore.password=${?KEYSTORE_PASSWORD}
ail.keyManager.path=${?KEYMANAGER_PATH}
ail.keyManager.type=${?KEYMANAGER_TYPE}
ail.keyManager.password=${?KEYMANAGER_PASSWORD}
play.ws.ssl {
keyManager = {
stores = [
{ path: ${ail.keyManager.path}, type: ${ail.keyManager.type}, password: ${ail.keyManager.password} }
]
}
}
ail.trustManager.path=${?TRUSTMANAGER_PATH}
ail.trustManager.type=${?TRUSTMANAGER_TYPE}
ail.trustManager.password=${?TRUSTMANAGER_PASSWORD}
play.ws.ssl {
trustManager = {
stores = [
{ path: ${ail.trustManager.path}, type: ${ail.trustManager.type}, password: ${ail.trustManager.password} }
]
}
}
jwt.truststore.path=${?JWT_TRUSTSTORE_PATH}
jwt.truststore.type=${?JWT_TRUSTSTORE_TYPE}
jwt.truststore.password=${?JWT_TRUSTSTORE_PASSWORD}
jwt.truststore.entry=${?JWT_CERT_ALIAS_AIL}
Apache Tomcat and many other Java applications expect to retrieve SSL/TLS certificates from a Java Key Store (JKS). Jave Virtual Machines usually come with keytool to help you create a new key store.
Keytool helps you to:
- create a new JKS with a new private key
- generate a Certificate Signung Request (CSR) for the private key in this JKS
- import a certificate that you received for this CSR into your JKS
Keytool does not let you import an existing private key for which you already have a certificate. So you need to do this yourself, here’s how:
Let’s assume you have a private key ( key.pem ) and a certificate ( cert.pem ), both in PEM format as the file names suggest.
PEM format is ‘kind-of-human-readable’ and looks like e.g.
-----BEGIN CERTIFICATE----- Ulv6GtdFbjzLeqlkelqwewlq822OrEPdH+zxKUkKGX/eN . . (snip) . 9801asds3BCfu52dm7JHzPAOqWKaEwIgymlk= ----END CERTIFICATE-----
Convert both, the key and the certificate into DER format using openssl :
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
Now comes the tricky bit, you need something to import these files into the JKS. ImportKey will do this for you, get the ImportKey.java (text/x-java-source, 6.6 kB, info) source or the compiled (Java 1.5 !) ImportKey.class (application/octet-stream, 3.3 kB, info) and run it like
`user@host:~$ java ImportKey key.der cert.der`
Using keystore-file : /home/user/keystore.
ImportKey One certificate, no chain.
Key and certificate stored.
Alias:importkey Password:importkey
Now we have a proper JKS containing our private key and certificate in a file called keystore.ImportKey, using ‘importkey’ as alias and also as password. For any further changes, like changing the password we can use keytool.