You’ll need:
- Private Key, created when we generate the Certificate Signing Request (CSR) file, we’ll name it private.key
- Your CA signed SSL certificate, in X.509 format, named yourssl.crt
- Intermediate Certificate from our CA, intermediateCA.crt
- Root CA certificate, rootCA.crt
- A name or alias for your certificate, we’ll use certalias
- A name for CA certificates bundle, cabundle.crt
- A name for your p12 format certificate, certbundle.p12
- And, a name for your new keystore, certbundle.jks
First, bundle the root CA and Intermediate Certificate into one:
cat intermediateCA.crt rootCA.crt > cabundle.crt
Generate a certificate bundle in pkcs12 format:
openssl pkcs12 -export -chain -in yourssl.crt -inkey private.key -out certbundle.p12 -name certalias -CAfile cabundle.crt
Create a password for the bundle when prompted. After it’s done, convert it to jks format:
keytool -importkeystore -srckeystore certbundle.p12 -srcstoretype pkcs12 -srcalias certalias -destkeystore certbundle.jks -deststoretype jks -destalias certalias
The keystore should now be ready to use on your tomcat install.