Java has tools to create the key pairs and the CSR; you are not required to do this with OpenSSL. I provided some links below that have some commands.
https://www.digicert.com/easy-csr/keytool.htm http://nl.globalsign.com/en/support/ssl+certificates/java/java+based+webserver/keytool+commands/ In the end the process is similar to: 1. Create keystore and create new CSR within it. 2. Send CSR 3. Get back the response 4. import response into the keystore As for Apache/Tomcat, that I have no direct experience doing, but it should be no more than adding a module and making a few config tweaks. Thanks, -Eduardo From: Zico Sent: Monday, May 16, 2011 10:16 AM To: openssl-users@openssl.org Subject: Cert Renewal issue + CAcert.org I am learning various sites and blogs to make it clear, but, it's yet unclear to me! I think, you may help me if you want and that will be a big favor for me. What I am trying to do is: I am trying to "renew cert" of one server which was certified by CAcert.org. What I am trying to follow is: 1. Generate Private key: with openssl genrsa -des3 -out myserv.key 2048 2. Remove passphrase from key: 3. Generate CSR: with openssl req -new -key myserv.key -out myserv.csr 4. Submit this csr into 3rd party 5. get the certificate and SAVE IT AS MYSERV.CRT ( am I correct here? ) 6. Concatenation CRT+PRIVATE KEY and SAVE THE CONCATENATION AS PEM FORMAT 7. RE-ENCODE PEM INTO PKCS12 8. Create JKS 9. Now what? how can I install JKS for tomcat and apache? what do you suggest me to do? any link? Can you please help me regarding this? -- Best, Zico
