Here are the commands used to create the keystore for Tomcat with a wildcard certificate. Note that you must have the private key that was used to generate CSR. Once the CA sends you new certificate, the key may need to be converted into a format that can be read by the "keytool" command:
# openssl pkcs12 -export -in STAR_somedomain_com.crt -inkey PRIV_somedomain.key -out STAR_somedomain_com.p12 -name tomcat -CAfile AddTrustExternalCARoot.crt -caname root
Enter Export Password:
Verifying - Enter Export Password:
On this step, you have to enter a password. In this example, "changeit" was used as it is the default password for the Traverse Tomcat server.
# apps/jre/bin/keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /tmp/webapp.keystore -srckeystore STAR_somedomain_com.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias tomcat
On this step and the next step "changeit" is used for the password and the keystore password.
# cp /tmp/webapp.keystore /usr/local/traverse/plugin/web/
cp: overwrite `/opt/traverse/plugin/web/webapp.keystore'? y
# apps/jre/bin/keytool -keystore ../plugin/web/webapp.keystore -storepass changeit -list -alias tomcat
tomcat, Oct 7, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 14:92:C7:F3:0F:F1:EA:2B:8B:93:25:EA:FC:0D:F3:F7
Note that "PrivateKeyEntry" is indication that it's a valid certificate that can be used by Tomcat. Please update the standard key installation instructions with this information.