X.509 to Java Keystore Conversion

Import Self-Signed Server Certificate from Self-Generated CA into Java Keystore

Step 1: Convert the x.509 certificate and key to a pkcs12 file

• During conversion to pkcs12 file be sure to put an export password for both security and to avoid import issues.
• The -chain option is optional, but suggested to preserve the CA certificate chain (i.e. who signed it).

  # openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name [some-alias] -CAfile ca.crt -caname root -chain -passin file:servpass.enc
  openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name cis-18 -CAfile ca.cert.pem -caname root -chain -passin file:servpass.enc
  

Step 2: Import pkcs12 file Into Java Keystore

keytool -importkeystore -deststorepass [A_PASSWORD] -destkeypass [A_DIFF_PASSWORD] -destkeystore cis-18.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass [EXPORT_PASSWORD] -alias cis-18

Step 3: Use this Keystore for your Spring-Boot Tomcat

server.port=8080
# The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=keystore/cis-18.keystore
# The password used to generate the certificate
server.ssl.key-store-password=[EXPORT_PASSWORD]
# The alias mapped to the certificate
server.ssl.key-alias=cis-18
# Accept only HTTPS requests
server.ssl.enabled=true
server.ssl.protocol=TLS