How to convert SSL Nginx cert to Tomcat cert

by Daniel Pham
Published: Updated:

This article will guide you how to convert SSL Nginx cert to Tomcat cert.

Nginx cert and Tomcat cert

When you buy SSL cert for Nginx web server (or Apache), you usually get 3 files of the following type:

  • STAR_domain.CERT.crt
  • STAR_domain.PRIVATE.key
  • STAR_domain.CA.key

Nginx’s ssl cert file uses X.509 format. You can read more about it.

For Java applications, it runs the Tomcat web server. And Tomcat’s ssl cert uses the .jks (Java KeyStore) format, this is Oracle’s own format.

Recommended Reading: How to convert SSL Nginx cert to IIS cert

Steps to convert X.509 cert into JKS

First, this is easier on a Linux machine, because it has OpenSSL built-in.

convert x.509 cert to jks cert
Convert X.509 cert to JKS cert.

To convert X.509 SSL cert to JKS cert, you need 3 files that I mentioned above, CERT file, PRIVATE key and CA cert.

Recommended Reading: Nginx redirect a location to another domain

First, you need to export all of these files into one bundle file in .p12 format.

openssl pkcs12 -export -in STAR_domain.CERT.crt -inkey STAR_domain.PRIVATE.key -certfile STAR_domain.CA.key -out domain.p12

This command will ask you to set an export password for the keystore. For example, I set it to danie.

Then, run the keytool command to import this .p12 file into the PKCS12 library and export the final cert file .jks.

keytool -importkeystore -srckeystore domain.p12 -srcstoretype PKCS12 -destkeystore domain.jks

This command will ask you to set a destination keystore password, at least 6 characters. I set it to daniepham.

Then it will ask you to type source keystore password. It is the same password export that you have set at the openssl pkcs12 command, it’s danie of my example.

And done, you have finished converting X.509 cert to JKS cert and now you can import it into your Tomcat web server.


Converting X.509 cert of Nginx (or Apache) to Tomcat’s cert JKS only goes through 2 commands. It is not difficult, but not everyone knows that. Hope the article is useful for you.

(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).

0 0 votes
Article Rating

You may also like

Notify of
Inline Feedbacks
View all comments

DevOps Lite is a personal blog specializing in technology with main topics about DevOps, DevSecOps, SRE and System Administrator. Articles are shared for free and contributed to the community.



Subscribe my Newsletter for new blog posts. Stay updated from your inbox!

© 2021-2024 – All rights reserved.

Please write sources “” when using articles from this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Would love your thoughts, please comment.x

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.