this time I have a Apache Tomcat on windows which makes life a bit of a struggle
I went over to https://zerossl.com/free-ssl/#crt and registered two domains so they could be secured via https. Everything went fine and now I’ve got a bunch of files …
My Tomcat uses a JKS Keystore (or will be) so I dont know how to get there files mixed up right, that they will do the job as a Tomcat cert
After I went through several discussions on how to go on, I ended up beeing completly stuck as nobody did make it comprehensive enough for me to get it together.
Any ideas, suggestions or wise notes on how to head on!?
There are various existing discussions about creating the JKS from PEM files. Probably these discussions are confusing to you in this context simply because different software uses different names for the same files, so the advice doesn’t seem to translate from one situation to another.
as a useful resource for creating the JKS file. That documentation is using Certbot’s names for these files, which is different from ZeroSSL’s.
I believe the equivalence here is
fullchain.pemdomain-crt.txt
privkey.pemdomain-key.txt
Hopefully, knowing that, you can then follow other people’s JKS-making instructions.
These files are in PEM format, which is a textual format for representing cryptographic objects like keys and certificates. The first one contains the certificate for your site, together with the “intermediate” or “chain” certificate that proves to clients that Let’s Encrypt should be regarded as a trusted certificate authority. The second one contains your private key, which your server uses to prove that it is the entity to which the certificate actually refers. Certbot thought of these as “the full (certificate) chain applicable to your site” and “the private key of your site”, while ZeroSSL thought of these as “the certificate for your domain” and “the key for your domain”, but they should ultimately have the same content.
The first two files that you got from ZeroSSL might be useful when you have to renew the certificate (after 90 days!), if ZeroSSL asks for them. They aren’t used in the actual operation of the site.
P.S. The files on ZeroSSL are named the way they are mostly to make it a little bit easier to understand what’s inside and to prevent accidental import of those.
Not sure what you are running your apache on (OS) however I don’t believe you need to create a JKS each time (not a Tomcat expert so don’t hold me to this)
I have configured Tomcat 8.5 with just using pem files. This also means that if you use a client like certbot you can point tomcat to your live folders (which are symlinks that get updated) and not have to do anything during renewal
I think tomcat is one of those web servers that caches the certs so you may need to restart it to take new certs
