***Warning Geek Post ahead. Primarily intended for Google and the other poor souls who are going through the (cough) I just went through!***
I need to have SSL for both IIS and Tomcat on the same physical server but running on different ports. Two techs at Thawte said it couldn’t be done without purchasing a separate certificate. I disagreed. Google and random shots in the dark got it working.
How to:
Export Cert from IIS as a .pfx file
Add the Certificate Snap-in
1. On the computer containing the certificate you want, select Start, then Run, and then type mmc to open the Microsoft Management Console.
2. On the Console menu, click Add/Remove Snap-in…
3. Click Add button. This will open the Add Standalone Snap-in box.
4. Select Certificates from the list and then click Add.
5. Select Computer account and then click Next.
6. Select Local computer and click Finished.
7.Click Close on the Add Standalone Snap-in box.
8.Click OK on the Add/Remove Snap-in box.
Export the certificate from IIS 5
1. Under the Tree tab in the Microsoft Management Console expand Certificates.
2. Select the Personal folder and then the certificate you want to export.
3. On the Action menu select All Tasks>Export…
4. Click Next.
5. Select Yes, export the private key and click Next.
6. Select Personal Information Exchange – PKCS #12 (.PFX) and then click Next.
7. Enter the password you used when you created the certificate and click Next. This will create a .pfx file.
Point Tomcat to the new Cert
1. Open %TOMCAT_HOME/conf/server.xml in XML or text editor
2. Uncomment the SSL Connector is not already.
3. Add the folloing attributes:
keystoreFile=”c:\PATH TO CERT.pfx” keystorePass=”PASSWORD HERE”
keystoreType=”PKCS12″
Restart Tomcat. Point browser to https://localhost:8443. If it doesn’t load look in the log files to identify the problem.
This solution is simple. I don’t know why it isn’t better documented. Most of the resources I found had me using OpenSSL to convert the cert to .p12 or .pem files. I couldn’t get those working. I started working backwards and just tried using the .pfx file and it worked. Make note the type attribute is keystoreType. One piece of documentation called it something else. That didn’t help my situation. This works with Tomcat 5.5.9. I don’t know about other versions.
July 13th, 2005 at 10:00 pm
Eek. So confused. Too many words organized in a fashion that I can’t comprehend! Ah!!
Oh wait… that tutorial doesn’t pertain to me… fair enough. Have a great day!
March 28th, 2007 at 4:18 pm
[…] Ok, spent the whole freakin day on this one folks. So I’m moving a Flex 1.5 app from IIS/JRun to Tomcat and Flex 2.0. I need to get HTTPS comm up and running on Tomcat. Everythign I read all day started off with ‘Create your CSR…’ Doh! I already have the cert! I must have finally hit the correct Google query to get some direction. The steps are basically the ones outlined here http://www.endofnow.com/2005/07/12/ssl-for-iis-and-tomcat-using-one-certificate/ […]
April 10th, 2007 at 10:18 am
I went through your article..
My Problem is somehow related.. I have a tomcat server running on the machine with SSL Certificate installed at 443.
Now, i have also installed IIS on the same machine.. and wants to enable SSL using the same certificate on the same, but at a different port 8080.
Is there any way, i can use tomcat certificate on my IIS ???
July 18th, 2007 at 1:16 am
Your article really helped me out. I was banging my head against the wall trying to figure this issue out.
I followed your instructions and it totally worked.
Thanks!!!
April 9th, 2008 at 6:58 am
FYI - Tomcat on Windows I found that the keystoreType is case sensitive so keystoreType=”pkcs12″ works but keystoreType=”PKCS12″ does not.
Cheers
Dan
July 2nd, 2008 at 10:59 am
Thanks Dan, your comment saved my life.
September 9th, 2008 at 2:02 pm
Great solution.
Just FYI, this solution also works in the case of a wildcard certificate like *.mydomainname.com
Where IIS has the certificate on the primary www.mydomainname.com and Tomcat is running on a different server as subdomainname.mydomainname.com
November 22nd, 2008 at 8:49 pm
Hi all,
If you wish to have a professional shared hosting quality in a free hosting package, come and host
with 000webhost.com and experience the best service you can get absolutely free.
Founded in December 2006, 000webhost.com has a trusted free hosting members base of over 60,000 members
and still counting! Offering professional quality hosting, support, uptime and reliability,
we have a great community of webmasters, you’d love to be a part of!
Register now and get it all free:
*** 1500 MB of disk space
*** 100 GB of data transfer
*** PHP and MySQL support with no restrictions
*** cPanel control panel
*** Website Builder
*** Absolutely no advertising!
http://free-host.orgfree.com - Join Us Now.
January 9th, 2009 at 4:19 pm
hi
8ntrbnw58v3iy49n
good luck
March 30th, 2009 at 11:29 am
Hey
Amazing weight loss stories here,
And here you can buy Anatrim
http://www.zmeii.com/?toxaawgjgw
I’ve always had trouble with my weight ever since I was young. Of course I tried all the “best” fat loss products, nothing helped very much. It wasn’t til I tried Anatrim that I saw the pounds seriously start to melt away! Nothing helped me lose weight faster. I literally saw 15 pounds melt away within the first few weeks! There’s nothing more exciting than watching pounds disappear, especially when you’ve tried all sorts of different methods and products before. I’ve since read up on Anatrim and am amazed at the number of people who have benefited from its amazing results. I’m halfway to my goal, Anatrim will get me the rest of the way
August 5th, 2009 at 5:59 pm
I’m getting a certificate error when using Firefox 3.5.1 or IE 8 with this fix.
Different browsers show its secure connection but IE 8 and firefox I believe is showing them self signed when I purchased the certificate.
Asking a client to click ok is not an option.
How do I get the certificate to stop looking like it is self signed.
August 13th, 2009 at 10:09 am
This will not work for Tomcat 6.0.18 using the APR connector. You can convert your SSL Cert (pfx file using openSSL) to a PEM file which is what tomcat PREFERS. This is a good thing on if you are running IIS with tomcat, but a stand alone Tomcat installation, you really should convert and use PEM’s.
Good place to start looking for information though. It got me asking the right questions and started getting me thinking more about re-re-reading the docs. Kudo’s to you Ryan!
October 21st, 2009 at 7:23 pm
Automatic Website Builder is revolutionary, all-in-one software for creating, publishing and managing websites easier than ever before. Equipped with innovative features, Automatic Website Builder enables you to make personal homepages, advanced blogs, undetectable cloaking portals, affiliate farms and thousands of AdSense ready websites on autopilot.