I recently had the need to turn a JAVA web application into SSL only. While the configuration is almost painless (-Dhttps.port=443 -Dhttp.port=disabled
), the certificate management wasn’t quite as effective, due to a certain lack of clear documentation (where have I heard that again?).
We start assuming you already have your OpenSSL generated key/crt files, because that’s what happened here, but stay tuned:
$ openssl pkcs12 -export -in CertificateChain.pem -inkey Certificate.key -out Certificate.pkcs12 -name HostAlias -noiter -nomaciter
With this done you have a PKCS12 KeyStore you can use for the web server, much like the PEM/KEY you would use in Apache. Then, you use this configuration to properly load it:
-Dhttps.keyStoreType=PKCS12 -Dhttps.keyStore=/absolute/path/to/certificate.pkcs12 -Dhttps.keyStorePassword=KeyStorePassword
It may seem like nothing, but the keyStoreType part made the difference between a proper certificate chain and an unsigned chain localhost/localhost, which caused me major migraine for the good part of an afternoon.
With this said and done you can start the application/server and see to it that the certificate now lists itself properly and with all the needed CAs attached to it.