thank you very mutch for your reply!

that works for me!


Am 05.08.2010 17:41, schrieb ravi kumar:


Confirm if u want certificate for apache or tomcat?
If it is apache then "filename.crt" file will work, but if it is for tomcat then u will  need
"filename.keystore" is required.

Below command is used to generate .key file in Linux using phase key

openssl genrsa -des3 1024 > filename.key

Below command is used to generate csr file in Linux

openssl req -new -key /root/csr/filename.key > filename.csr


Step 1: Generate a keystore in pkcs12 format using the Certificate (.crt) and the Private Key (.key) files


openssl pkcs12 -in <yourfile.crt> -inkey <yourfile.key> -export -out <keystore name> -name tomcat


The keystore file will be generated into the folder where OpenSSL binary is located


Step 2: Once the keystore is generated, configure the SSL factory in server.xml file to use it



<clientAuth="false" sslprotocol="TLS" keystoreFile="C:\Program\tomcat/keystore" keystorePass="mypassword" truststorePass="mypassword" keystoreType="pkcs12" />

Note :- Sometimes providerroot file is required.
Ex. If i purchased my certificate from "thawte" then i will
require "thawteroot.csr" and will merge this with my "filename.csr" and install on the server.

Hope above solution works for you.


--- On Thu, 5/8/10, Tina Exner <> wrote:

From: Tina Exner <>
Subject: Re: [users@httpd] Export CACertificate to Tomcat
Date: Thursday, 5 August, 2010, 3:49 PM

did nobody know a solution for this problem?

hi all,

we have a nexus multiid server for certificate authentication.
i try to pass the client smartcard certificates from apache to tomcat server.
the tomcat talks to the nexus and the authentication take effect.

when i try to export the client ca certificate to the tomcat server
 i get the
following errors:

[Mon Aug 02 15:36:40 2010] [error] [client] Certificate Verification: Error (20): unable to get local issuer certificate
[Mon Aug 02 15:36:40 2010] [error] [client] Re-negotiation handshake failed: Not accepted by client!?

(Fehlercode: ssl_error_unknown_ca_alert)

this is my ssl configuration:

  <IfModule ssl_module>
          SSLVerifyClient none
          SSLVerifyDepth 5

          #SSLOptions +ExportCertData +StrictRequire +StdEnvVars +FakeBasicAuth
          SSLOptions +ExportCertData

          #SSLCACertificateFile conf/ssl/Certificate.cer

       <Location /nexus>
                SSLVerifyClient         require
                SSLVerifyDepth          5

                #SSLCACertificateFile    /ps/apache2.2/testsystem1/conf/ssl/Certificate.crt
                #SSLOptions             +ExportCertData +StrictRequire +StdEnvVars +FakeBasicAuth
                SSLOptions              +ExportCertData +StdEnvVars

my jk.conf:

  JkExtractSSL          On
  JkHTTPSIndicator      HTTPS
  JkCIPHERIndicator     SSL_CIPHER
  JkOptions             +ForwardSSLCertChain

i use apache 2.2.13-3 and openssl 0.9.8a.

Any hints on what might have gone wrong will be highly useful.