A short note about converting Let's Encrypt certificate into Java JKS keystore for Tomcat
It’s really no rocket science, I can just never remember it exactly. So here it is:
- I sometimes have to find the path for certbot is it doesn’t get set for the “root” (assuming certbot is installed):
which certbot sudo su export PATH=<certbotpath>:$PATH
- assuming you’re root (or other account with necessary privileges):
certbot renew
- if you have/get a new certificate, you can do the “tricky part”
- change workind directory to a folder with the new certificate
cd /etc/letsencrypt/live/<site>
- first we need to create a PKCS12/PFX file containing the new private key and certificates (intermediary password is “password”):
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out server.p12 -name tomcat
Note: initially, we suggested “-in cert.pem -CAfile chain.pem ….”, which doesn’t include the chain to the P12 file.
- the next is to convert the PKCS12 file into a JKS Java keystore:
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /etc/usrMgmt/onetimekeystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password -alias tomcat
- restart the Tomcat app, if it needs restarting to pick-up the new SSL certificate
- clean up - delete the temporary JKS file
- A note of caution - it may be the case that configuration files are wrapped in a jar file. (Just in case you can’t find any and have been banging your head against your deck for the last 2 days :)
Note: we keep our Tomcat apps in the /opt/