Config tomcat server with pem files

Hello,

Follow this tutorial Certbot, I did integrate ssl on my Server.
But I want to enable ssl from my Tomcat

This is my configuration with keystore file and password.

I want to modify it to use pem files since I can get it from the directory

/etc/letsencrypt/live/{domain}

cert.pem chain.pem fullchain.pem privkey.pem

Can anyone help me do that?

My operating system is (include version): Ubuntu 14.04.4 LTS

My web server is (include version): Apache Tomcat 7

Thanks in advance

I’m hoping you’re not using that password anywhere else? :tired_face:

And especially not publishing it everywhere… :frowning:

I don’t think Tomcat knows how to read PEM files directly. Certainly it didn’t a few years ago when I last used it.

You can import PEM files into either a Java Keystore or PKCS12 file, and tell Tomcat to read those. You would need to ensure that each time the certificate is renewed, these steps are done again (e.g. automatically by a script) so that the certificate used by Tomcat isn’t left to expire.

I suggest here the PKCS12 type, to use this you will need to do several steps, I hope I explain these well, but please respond if you get stuck and I or someone else will try to help because I am not trying this as I explain it.

  • Make PKCS12 file. Run this command:

openssl pkcs12 -export -in /etc/letsencrypt/live/{domain}/fullchain.pem -inkey /etc/letsencrypt/live/{domain}/privkey.pem -out /home/hoavo/myca/letsencrypt.p12

This creates the file /home/hoavo/myca/letsencrypt.p12 from the Let’s Encrypt PEM files (of course you can call this file something different if you choose)

  • Modify Tomcat configuration appropriately

You need to modify your Tomcat configuration file that you have now as follows :

  1. Change everywhere that says /home/hoavo/myca/tomcat.keystore to say /home/hoavo/myca/letsencrypt.p12 (or whatever you called the new PKCS12 file you created in the first step)

  2. Remove the keystorePass and trustStorePass settings entirely

  3. Add keystoreType=“PKCS12” and trustStoreType=“PKCS12”

Cross fingers I got all of the above right and it now works.

1 Like

Thanks a lot. I did it.

As a side note, things got a whole lot easier with the latest Tomcat 8 release (thanks to @coleman-rik for the tip!)

Leaving this here in case anyone stumbles across this thread in the future and happens to be running a version >= 8.5.3:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.