Purpose: These instructions will provide a detailed step-by-step guideline in order to use an existing CA-signed SSL certificate for your Tomcat keystore, allowing you to leverage the same certificate for your JSS server.

Requirements: Mac OS X Server (10.6.8), Casper Suite 8.21, access to download a copy of SSL provider cert bundle, web server certificate, and admin access to Mac OS X server computer being used for installation.

Obtain Server Private Key

Launch Keychain Utility on your server with root privileges:

1) In terminal, type:

sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

Type your administrator password when prompted.

2) Once Keychain utility launches, select “Keys” in the Category pane.

3) Select your existing web server private key and certificate pair, and click File > Export Items.

When choosing a location to save, remember you’re authenticated as root, and the hidden root home folder may be displayed as a default location. Choose a location on the desktop of your currently-logged in user (e.g. Desktop).

The file format should be .p12. I will name my exported file “mykeypair.p12”.

You will be asked to create a password for the exported .p12 file, choose something secure but easy to remember.

Extract the private key from exported .p12

Please note, the private key is very sensitive, and a file should *not* be left sitting around with the server’s private key. Protect it very carefully.

In Terminal:

sudo openssl pkcs12 -in mykeypair.p12 -nocerts -nodes -out privatekey.key

Where privatekey.key is the arbitrary name of the exported file. The nocerts flag removes the certificates, the nodes flag removes the encryption (DES).

Authenticate when prompted (administrator password). Then type the export password previously configured.

The new private key file will be created, but it will have additional information that’s not needed.

Open the new file in a text editor:

sudo nano /path_to_key_file/privatekey.key

Trim the file contents so you only have:


Save and close the privatekey.key file.

Obtain CA-signed Webserver and CA Bundle Certificates

Download a copy of your web server SSL certificate and CA bundle certificate from your SSL provider. In the case of GoDaddy, for instance, these look like this (when downloaded for Tomcat):

CA Bundle Files

The ones we want, in particular, are gd_bundle.crt and hostname.tld.com.crt (hostname.tld.com will actually be the FQDN of your web server). Move these to your working folder, alongside the privatekey.key file previously created.

You should now have a folder with your exported .p12 file from Keychain Access, web server certificate, and CA bundle file.

Create a PKCS12 keystore for use with Tomcat

Now, we will create the PKCS12 file that Tomcat will use:

openssl pkcs12 -export -in hostname.tld.com.crt -inkey privatekey.key -out jsscert.p12 -name tomcat -CAfile gd_bundle.crt -caname root -chain

In the above command are these variables:

  • hostname.tld.com.crt – should be the path to your web server certificate
  • privatekey.key – should be the path to the private key that was created previously
  • jsscert.p12 – is the arbitrary name you would like your new pkcs12 file to have.
  • gd_bundle.crt – should be the CA certificate bundle provided by the signing authority

After executing the command, you will be prompted for an export password to be used with the resulting PKCS12 file, enter the password “changeit”.

Once the file is created, move it to the JSS Tomcat directory, like so:

sudo mv /path_to_new_p12/jsscert.p12 /Library/JSS/Tomcat/jsscert.p12

Edit /Library/JSS/Tomcat/conf/server.xml. In the area for the 8443 connector port, you will need to add/edit the following:


The fully configured connector port should look similar to this (the two lines I added/edited are highlighted in blue):

JSS Connector Edit

Save the file and close it.

Restart the Tomcat service:

sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist
sudo launchctl load /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

Upon visiting your JSS admin page again, it should now be using your SSL cert!

Reference documents: