Convert java keystore key into DSA (understood by Apache)

I have a wildcard SSL certificate bought from GoDaddy that serves various websites. Most of them run on Apache Tomcat, but when I had the need to run an SSL secured site in Apache HTTP server as well, I had the choice … buy another SSL certificate (which seemed pointless as I already own a wildcard certificate and can use whatever subdomains I need), or work out how to get my certificate up and running on both servers.

The problem isn’t getting my signed certificate in formats that both Apache Tomcat and Apache HTTP will understand, that bit’s easy. The problem is that my certificate request was created using a private key stored in a java keystore, which Apache HTTP doesn’t understand. Quick google later and the solution wasn’t very difficult, here’s what I did!

GoDaddy created my certificate and provide their root CA bundle, let’s call them and gd_bundle.crt respectively.

I created the initial signing request with a java keystore, tomcat.keystore, under alias tilion.

Usage instructions for ExportPriv were quick and easy to follow.

java ExportPriv tomcat.keystore tilion <password> | openssl pkcs8 -inform PEM -nocrypt >

Apache2 configuration parameters:

SSLEngine on
SSLCertificateFile /path/to/
SSLCertificateKeyFile /path/to/
SSLCertificateChainFile /path/to/gd_bundle.crt