Apache Tomcat 7 / ZEROSSL files how-to ?!

hi there guys,

this time I have a Apache Tomcat on windows which makes life a bit of a struggle :slight_smile:
I went over to https://zerossl.com/free-ssl/#crt and registered two domains so they could be secured via https. Everything went fine and now I’ve got a bunch of files …

They gave me:


My Tomcat uses a JKS Keystore (or will be) so I dont know how to get there files mixed up right, that they will do the job as a Tomcat cert :slight_smile:

After I went through several discussions on how to go on, I ended up beeing completly stuck as nobody did make it comprehensive enough for me to get it together.

Any ideas, suggestions or wise notes on how to head on!?

Kindest regards


There are various existing discussions about creating the JKS from PEM files. Probably these discussions are confusing to you in this context simply because different software uses different names for the same files, so the advice doesn’t seem to translate from one situation to another.

One of the discussions here pointed to


as a useful resource for creating the JKS file. That documentation is using Certbot’s names for these files, which is different from ZeroSSL’s.

I believe the equivalence here is

fullchain.pem :left_right_arrow: domain-crt.txt

privkey.pem :left_right_arrow: domain-key.txt

Hopefully, knowing that, you can then follow other people’s JKS-making instructions. :slight_smile:

These files are in PEM format, which is a textual format for representing cryptographic objects like keys and certificates. The first one contains the certificate for your site, together with the “intermediate” or “chain” certificate that proves to clients that Let’s Encrypt should be regarded as a trusted certificate authority. The second one contains your private key, which your server uses to prove that it is the entity to which the certificate actually refers. Certbot thought of these as “the full (certificate) chain applicable to your site” and “the private key of your site”, while ZeroSSL thought of these as “the certificate for your domain” and “the key for your domain”, but they should ultimately have the same content.

The first two files that you got from ZeroSSL might be useful when you have to renew the certificate (after 90 days!), if ZeroSSL asks for them. They aren’t used in the actual operation of the site.

I can confirm that @schoen is right :slight_smile:

P.S. The files on ZeroSSL are named the way they are mostly to make it a little bit easier to understand what’s inside and to prevent accidental import of those.

Very good - this worked for me. Okay, its a bit of a fuzz but I guess thats due to the setup.

I got my domains up and running today and it will get interesting when I will have to refresh the certificates. But this time I know how to do it!

Thanks a lot!


Not sure what you are running your apache on (OS) however I don’t believe you need to create a JKS each time (not a Tomcat expert so don’t hold me to this)

I have configured Tomcat 8.5 with just using pem files. This also means that if you use a client like certbot you can point tomcat to your live folders (which are symlinks that get updated) and not have to do anything during renewal

I think tomcat is one of those web servers that caches the certs so you may need to restart it to take new certs

Links: Using LetsEncrypt Certificates on Tomcat 8.x on Windows


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.