I am trying to add a ssl certificate generated from certbot, converted into pkcs12 format into my spring-boot application.
Those are the steps I made to make the certificate:
certbot certonly -a standalone -d api.example.com
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat -passout pass:aaaaaa
keytool -importkeystore -deststorepass aaaaaa -destkeypass aaaaaa -destkeystore .keystore -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass aaaaaa -alias tomcat
source
The content of application.yml :
spring:
datasource:
url: jdbc:mariadb://localhost:3306/api?useSSL=false
username: spring
password: w7wqD6hd78HfYHLP
driver-class-name: org.mariadb.jdbc.Driver
jpa:
hibernate:
ddl-auto: update
database-platform: org.hibernate.dialect.MariaDB103Dialect
generate-ddl: true
show-sql: true
server:
port: 12345
ssl:
enabled: true
key-alias: tomcat
key-store-type: PKCS12
key-password: aaaaaa
key-store: /etc/letsencrypt/live/api.example.ovh/pkcs.p12
This is the most nested error I obtain :
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1170) ~[na:na]
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:365) ~[tomcat-embed-core-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246) ~[tomcat-embed-core-9.0.39.jar:9.0.39]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.39.jar:9.0.39]
... 26 common frames omitted
The pkcs12 has been created with the fullchain and the key, so there should be no problem in the resulting p12 certificate. They are various answers on the wonderful internet that directed me in the same direction for the steps to make the certificate.
I would like to know if anyone has a solution for this, to simply use ssl as intended. If the answer is obvious, I am sorry, I am not savvy enough on java applications.
Add key-store-password property as follows:
server:
ssl:
key-store-password: aaaaaa
I am trying to enable SSL with embedded jetty in a Spring Boot Application.
Spring Boot Starter Version: 2.1.0.RELEASE
My configuration:
I created a keystore with the following command:
keytool -genkey -keyalg RSA -alias webapp -keystore keystore.jks -storepass password -keysize 2048
The resulting keystore.jks file was placed in src/main/resources/ssl.
The tutorials mostly say that referencing this keystore in the application.yaml should be enough to "make it work":
server:
port: 9292
servlet:
context-path: /
ssl:
key-store: classpath:keystore.jks
key-store-password: password
key-alias: webapp
key-store-type: JKS
Error:
When I try to start the application, it fails:
Caused by: org.springframework.boot.web.server.WebServerException: Could not find key store 'classpath:keystore.jks'
at org.springframework.boot.web.embedded.jetty.SslServerCustomizer.configureSslKeyStore(SslServerCustomizer.java:195) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
at org.springframework.boot.web.embedded.jetty.SslServerCustomizer.configureSsl(SslServerCustomizer.java:164) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
at org.springframework.boot.web.embedded.jetty.SslServerCustomizer.customize(SslServerCustomizer.java:73) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
at org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory.customizeSsl(JettyServletWebServerFactory.java:195) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
at org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory.getWebServer(JettyServletWebServerFactory.java:145) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:179) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:152) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
... 13 common frames omitted
Caused by: java.io.FileNotFoundException: class path resource [keystore.jks] cannot be resolved to URL because it does not exist
at org.springframework.util.ResourceUtils.getURL(ResourceUtils.java:137) ~[spring-core-5.1.2.RELEASE.jar:5.1.2.RELEASE]
at org.springframework.boot.web.embedded.jetty.SslServerCustomizer.configureSslKeyStore(SslServerCustomizer.java:190) ~[spring-boot-2.1.0.RELEASE.jar:2.1.0.RELEASE]
... 19 common frames omitted
When I look into the maven target directory though, the keystore.jks is placed under classes/ssl, so it should be in the classpath, right?
Can someone point out what I am missing?
Edit:
Strangely enough, moving the keystore.jks to src/main/resources seems to fix the problem. Why jetty able to find the keystore there, but not in the subdirectory src/main/resources/ssl?
Classpath by default is set tot src/main/resources. Meaning if you have subdirectories inside you need to specify the full path to your jks file:
key-store: classpath:ssl/keystore.jks
I want to configure Wildfly 14 to use encrypted JDBC connection. I tried this:
MariaDB:
mysql -u root -p
CREATE USER 'wildfly' IDENTIFIED BY 'qwerty';
CREATE DATABASE production_gateway;
GRANT ALL PRIVILEGES ON production_gateway.* TO 'wildfly'#'%' REQUIRE SSL;
FLUSH PRIVILEGES;
Create certificate:
mkdir -p /etc/mysql/ssl
cd /etc/mysql/ssl
sudo openssl genrsa 4096 > ca-key.pem
sudo openssl req -new -x509 -nodes -days 36500 -key ca-key.pem -out cacert.pem
sudo openssl req -newkey rsa:4096 -days 36500 -nodes -keyout server-key.pem -out server-req.pem
sudo openssl rsa -in server-key.pem -out server-key.pem
sudo openssl x509 -req -in server-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl req -newkey rsa:2048 -days 36500 -nodes -keyout client-key.pem -out client-req.pem
sudo openssl rsa -in client-key.pem -out client-key.pem
sudo openssl x509 -req -in client-req.pem -days 36500 -CA cacert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile cacert.pem server-cert.pem client-cert.pem
Add certificate in MariDB under my.cnf
ssl-ca=/etc/mysql/ssl/cacert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
systemctl restart mysql
Import certificate in Java keystone:
cd /usr/lib/jvm/java-11-openjdk-amd64/lib/security/
openssl x509 -outform der -in /etc/mysql/ssl/client-cert.pem -out certificate.der
keytool -import -alias client -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -file certificate.der -srcstorepass changeit
Export keystone configuration:
export JAVA_OPTS="-Djavax.net.ssl.keyStore=/usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit"
When I use this connection link:
jdbc:mariadb://localhost:3306/production_gateway - it's working
But when I use: jdbc:mariadb://localhost:3306/production_gateway?useSSL=true&requireSSL=true
I get:
17:40:30,454 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (External Management Request Threads -- 1) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
17:40:30,472 ERROR [org.jboss.as.controller.management-operation] (External Management Request Threads -- 1) WFLYCTL0013: Operation ("test-connection-in-pool") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "MariaDB")
]) - failure description: "WFLYJCA0040: failed to invoke operation: WFLYJCA0047: Connection is not valid"
Can you advice how I can fix this issue?
I use JDBC driver mariadb-java-client-2.3.0.jar
As per my knowledge,you just need to provide requireSSL field to true.
Try with below line :
jdbc:mariadb://localhost:3306/production_gateway?requireSSL=true
Let us know whether it's working or not.
For more clarification you can check this answer .
I'm following this tutorial to enable HTTPS in Spring Boot 2.0 using a self-signed certificate, just for testing purpose. In summary, that tutorial includes these steps:
1.Generate the keystore using keytool.
keytool -genkey -alias tomcat
-storetype PKCS12 -keyalg RSA -keysize 2048
-keystore keystore.p12 -validity 3650
2.Enable HTTPS in Spring Boot by adding some properties in the application.properties file.
server.port: 8443
server.ssl.key-store: keystore.p12
server.ssl.key-store-password: mypassword
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
3.Redirect HTTP to HTTPS (optional). I ignored this part.
But when I start my application, I got these error:
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:255) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:300) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:162) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552) [spring-context-5.0.4.RELEASE.jar:5.0.4.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:388) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:327) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1246) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1234) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at epic.gwdg.restgraph.RestgraphApplication.main(RestgraphApplication.java:10) [classes/:na]
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1021) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
... 13 common frames omitted
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1150) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:591) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1018) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
... 14 common frames omitted
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1170) ~[na:na]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:257) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
... 19 common frames omitted
2018-03-16 16:42:30.917 INFO 970 --- [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2018-03-16 16:42:30.931 INFO 970 --- [ main] ConditionEvaluationReportLoggingListener :
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2018-03-16 16:42:30.933 ERROR 970 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
***************************
APPLICATION FAILED TO START
***************************
Description:
The Tomcat connector configured to listen on port 8443 failed to start. The port may already be in use or the connector may be misconfigured.
Action:
Verify the connector's configuration, identify and stop any process that's listening on port 8443, or configure this application to listen on another port.
2018-03-16 16:42:30.934 INFO 970 --- [ main] ConfigServletWebServerApplicationContext : Closing org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext#58ce9668: startup date [Fri Mar 16 16:42:26 CET 2018]; root of context hierarchy
2018-03-16 16:42:30.936 INFO 970 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Unregistering JMX-exposed beans on shutdown
Process finished with exit code 1
Basically, the message is:
Private key must be accompanied by certificate chain.
This is a self-signed certificate, so it, of course, doesn't have the trusted chain. How can I fix it?
Here is my current application.properties file:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-password=123456
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=tomcat
Thank you so much for your help.
The problem is that in your generated keystore you dont have a key pair so there is no private key that's because your using the option -genkey you need to change it by the option -genkeypair :
-genkey generates a Secret Key whereas the -genkeypair generates a
key pair (a public key and a private key).
So I think this should work :
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
In your spring boot configuration change ":" by "=" and add the path to your keystore I suppose that your keystore.p12 is in your resources folder so :
server.ssl.key-store = classpath:keystore.p12
server.ssl.key-store-password = mypassword
server.ssl.key-store-type = PKCS12
server.ssl.key-alias = tomcat
I was getting this horrible Private key must be accompanied by certificate chain error as well on my Spring Boot application with an embedded Tomcat server. It was making me insane.
It turns out a simple typo was my problem:
#Override
public void customize(ConfigurableServletWebServerFactory server) {
Ssl ssl = new Ssl();
ssl.setEnabled(true);
ssl.setKeyStore(keystoreFile);
ssl.setKeyPassword(keystorePass); // << Should be `setKeyStorePassword` !!!!
ssl.setKeyStoreType(keystoreType);
ssl.setKeyAlias(keystoreAlias);
server.setSsl(ssl);
server.setPort(sslPort);
}
So the error message is not helpful at all for this case. I hope this helps someone else. Just be sure to verify that you're putting the right passwords (key vs keystore) in the right place. The same issue can happen in a properties based setup - it depends on what you are working with.
You made a small mistake in the application.properties file. Please change
server.ssl.key-password=your_password
to
server.ssl.key-store-password=your_password
It will work fine then. Hope it helps! Thank you!
1.use " -genkeypair"
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
change "server.ssl.key-password" to "server.ssl.key-store-password"
I had a similar problem, in my case i was missing the trustAnchors in the trust store.
One solution is to use the java built-in keytool, like explained in the other answers. But there is an even simplest approach using KeyStore Explorer GUI, so i'll explain the complete steps with both tools.
1. First of all, as described in the answer, we need to enable SSL in the application.properties file:
# <======= SSL Security ===========>
# Keystore config
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=change_it!
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-alias=alias
server.ssl.enabled=true
# Trust Store Certificates
server.ssl.trust-store=classpath:trust_store.p12
server.ssl.trust-store-type=PKCS12
server.ssl.trust-store-password=07123e1f482356c415f684407
# <=====================>
The Keystore is the container of the Public - Private Key pair that is used by the server to communicate securely with the clients. The client of course must have the Public Key to be able to communicate with the server.
The Trust Store is simply a container for the certificates. (the Public Keys).
In our case it will contain only one certificate, the one used by the server.
2.1 Create the keystore with the java keytool:
keytool -genkeypair -alias alias -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650
2.2 Export the certificate so we can use it to create the Trust Store Keystore
keytool -export -keystore keystore.p12 -alias alias -file certificate.cer
2.3 This step will automatically create a new keystore with the imported trusted certificate. (The tool will ask you a password for the new keystrore and when it asks "Trust this certificate?" of course you should type "yes")
keytool -importcert -file certificate.cer -keystore trust_store.p12 -alias alias
Finally save both keystores inside the resources folder of your Spring Boot App (as shown in the alternative approach).
Alternative approach with KeyStore Explorer
2.1 Create the keystore with the KeyStore Explorer, as shown in the screenshots:
Then save the keystore inside the resources folder of your Spring Boot App:
2.2 Now we need to create the trust store, that can be given to the client that needs to communicate with our server. First of all extract the certificate chain created by the KeyStore Explorer and then create a new KeyStore importing the certificate inside it, as shown in the screenshots:
Then to create our trust store, click on "Create a new KeyStore" with the PKCS12 format as in the previous steps, the click the red icon "Import trusted certificate", choose the certificate saved in the preceding step, and finally save the keystore inside the resources folder like we did in the first keystore creation.
Now your server will be enabled to communicate with SSL security. Remember that your clients must be configured to load the trust store you've created .
Spring Boot 2.2.1.RELEASE
keytool -genkeypair -keystore myKeystore2.p12 -storetype PKCS12 -storepass 123456 -alias ks-localhost -keyalg RSA -keysize 2048 -validity 99999 -dname "CN=My SSL Certificate, OU=My Team, O=My Company, L=My City, ST=My State, C=SA" -ext san=dns:localhost,ip:127.0.0.1
application.yml
server:
tomcat:
accesslog:
enabled: true
ssl:
key-store-type: PKCS12
key-store: classpath:myKeystore.p12
key-alias: ks-localhost
enabled: true
protocol: TLS
key-store-password: 123456
I had the same problem. I made the changes from 2nd answer. But problem wasn't gone.
After all I've made, I just included my keystore.p12 certificate to pom.xml in profiles section
<profiles>
<!-- DEVELOPMENT PROFILE -->
<profile>
<id>dev</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>application.properties</include>
<include>keystore.p12</include>
<include>data/**</include>
</includes>
</resource>
</resources>
</build>
</profile>
</profiles>
I am using tomcat 8 and need to make it SSL, So I use openSSL to generate self signed certificate and configured the same in tomcat's server.xml file. But I am getting the below exception
INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-7443"]
16-Apr-2015 09:50:56.647 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-7443"]
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1433)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:424)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:323)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:581)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:521)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Write failed: Broken pipegMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43
That trace points to invalid format on your keystore.
Check this:
keytool -list -v -keystore keystore.jks
Are certificates listed in your keystore?
If you generated it with OpenSSL maybe you are generating a pkcs12 and if you import this and use a Connector on Tomcat without specifying the format, according to the default keyStoreType value, it's setted as "JKS".
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
keystoreType The type of keystore file to be used for the server
certificate. If not specified, the default value is "JKS".
Using keytool:
I suggest: try to generate the keystore with keytool (for me it's easier):
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn45301e6e=2
Generate a keystore and self-signed certificate:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Using PKCS12
Or if you pefer, you can also use a PKCS12 (if it's your case) with Tomcat:
Edit the JAVA_HOME/jre/lib/security/java.security file and change the default keystore type:
# Default keystore type.
keystore.type=pkcs12
Then configure your Connector with something similar to:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="yourKey.p12"
keystorePass="endeca"
truststoreType="PKCS12"
truststoreFile="yourKey.p12"
truststorePass="pass" />
In my case, openssl.exe which Tomcat recognized did not match with Tomcat Native Library(tcnative-1.dll).
I downloaded them from https://archive.apache.org/dist/tomcat/tomcat-connectors/native then ssl worked.