Sometimes products get simply better, so does Tomcat. Beginning with Version 7 it is possible to specify the certificates for the listener in Apache httpd (OpenSSL-Style). For me, this is much easier to understand and easier to configure.
To export all your trusted CA’s to a textfile in .pem format, you can use the much loved/hated java keytool:
The keytool lives in %JAVA_HOME%/bin/ and has to be called with this parameters:
- -list (lists all certificates in the store)
- -rfc (lists the certificates in rfc style
- -keystore (path to the java-keystore you want to export
- -storepass (password to the java-keystore you want to export
This parameterset gives you an nice formatted text-output of your certificates.
The final step is, to forward the text-output into a file, and voila – finished you have a file, which you can use in your Tomcat-Connector for the parameter „SSLCACertificateFile“.
& 'C:\Program Files\Java\jdk1.8.0_60\bin\keytool.exe' -list -rfc -keystore C:\certs\cacerts -storepass changeit > all-cas.pem