Creating Keystore/Certificate for Tomcat

Hi all, happy to be here.

I am following this guide to build a keystore and install a certificate on my machine, below you’ll find the entered commands/output.
I am using a Windows 10 tomcat installation and have installed the Linux Subsystem on windows since it’s much easier to get certbot running there.
domain: productiontest.ml

root@DESKTOP-EAI8H0S:~# keytool -genkeypair -alias simple-cert -keyalg RSA -keysize 2048 -keystore letsencrypt.jks -dname "CN=jks-simple-cert.productiontest.ml" -storepass 12345678
root@DESKTOP-EAI8H0S:~# keytool -certreq -alias simple-cert -keystore letsencrypt.jks -file jks-simple-cert_productiontest_ml.csr -storepass 12345678 -ext san=dns:jks-simpile-cert.productiontest.ml
root@DESKTOP-EAI8H0S:~# certbot certonly --manual --csr jks-simple-cert_productiontest_ml.csr --preferred-challenges "dns"

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.jks-simpile-cert.productiontest.ml with the following value:

CXSyjOyJbRFHRJy0LOxGuHFoCMphMkqmF9Ci2iHXkZQ

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.jks-simple-cert.productiontest.ml with the following value:

_NoBXW5vplAwcKo6ARx6mmyvtzudBFZww3JVzRKoPBY

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /root/0000_cert.pem
Cert chain written to 8
Cert chain written to 9

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /root/0001_chain.pem
   Your cert will expire on 2018-09-03. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
root@DESKTOP-EAI8H0S:~# ls
0000_cert.pem   0001_chain.pem                         letsencrypt.jks
0000_chain.pem  jks-simple-cert_productiontest_ml.csr

In the guide, the output of the last command produces (.cer) files that we can import to the keystore, however, I see three (.pem) files instead. This is where I don’t know how to proceed, so your help would be much appreciated.

The software that I’m installing is essentially a tomcat server, it provides a wizard that requires my keystore file, my keystore password, and the alias of the certificate, and it takes care of the connection, etc…
So I assume importing the certificate to the keystore is the only remaining step hopefully.

I forgot to use the (–staging) switch, so I do apologize, you’ll have to bare with me this is my first SSL installation. I also haven’t found this exact problem in my search inside the forum.

Try this post, it shows the command that works with the .pem files that Certbot produces.

It does produce a pfx archive rather than jks as in your attempt, but Tomcat is happy to use both formats.

1 Like

Thank you _az
These commands also did not generate a private key (privkey.pem), so how do I proceed?

I will further explain what I attempted but I fear it will be confusing you since I’m just trying things at this point.

Like I posted, I have these files currently:

root@DESKTOP-EAI8H0S:~# ls
0000_cert.pem   0001_chain.pem                         letsencrypt.jks
0000_chain.pem  jks-simple-cert_productiontest_ml.csr  

however, I do not have a privkey.pem, and I have two chain.pem files.
The command that you posted takes one privkey.pem and one chain.pem.
I tried to figure out how to generate a private key but this is where I’m stuck, am I on the correct path hopefully?

When you use a previously-generated CSR (with any certificate authority, not just Let's Encrypt), this is an alternative to directly using the private key during the certificate request. The CSR names a specific public key that should become the subject public key in the new certificate. Then the certificate that's issued will refer to that key.

Your private key is presumably found in letsencrypt.jks in JKS format because that's what you specified with these commands

root@DESKTOP-EAI8H0S:~# keytool -genkeypair -alias simple-cert -keyalg RSA -keysize 2048 -keystore letsencrypt.jks -dname "CN=jks-simple-cert.productiontest.ml" -storepass 12345678
root@DESKTOP-EAI8H0S:~# keytool -certreq -alias simple-cert -keystore letsencrypt.jks -file jks-simple-cert_productiontest_ml.csr -storepass 12345678 -ext san=dns:jks-simpile-cert.productiontest.ml

Because of the use of the CSR with --csr, Certbot didn't use your private key directly at all during the certificate request and also did not create a new one.

If you wanted the private key to be in PEM format instead, you should use a different workflow to create the CSR using a PEM representation of your key. :slight_smile:

If you wanted Certbot to create a new key, you could simply not use --csr. The --csr option to Certbot radically changes how Certbot behaves (for example, it causes everything to be saved into the current directory rather than /etc/letsencrypt) and exists only for compatibility with workflows that specifically require using a pre-existing CSR file.

Remember that you can convert between different formats for representing keys using, for example, openssl commands.

1 Like

I believe that @ahaw021's tutorial, while perfectly valid, is a bit more roundabout and manual than necessary. You could instead simply use Certbot or another client "as designed" and then convert the keystore format with a single command at the very end of the process.

In the context of @ahaw021's tutorial which you were following, it looks like you got confused by the part

I renamed the certs along the lines of what they are (certs only and certs with intermediates)

which is simply renaming the .pem files that Certbot outputs to particular names with .cer. (This doesn't change the format of these files; it's simply a different naming convention!)

Then @ahaw021 does

    keytool -importcert -alias simple-cert -keystore letsencrypt.jks -storepass test12345 -file .\jks-simple-cert-with-chain.cer
    keytool -importcert -alias san-cert -keystore letsencrypt.jks -storepass test12345 -file .\jks-san-cert-with-chain.cer

If you don't have these .cer files, it's simply because you didn't rename them. :slight_smile:

But again, I think this method is much more roundabout than necessary.

1 Like

Hi @schoen

Just to add a small bit of context.

Most of my guides are around concepts. I believe you can’t really automate what you don’t understand.

Tutorial - Java KeyStores (JKS) With Let's Encrypt

There are a couple of automation steps.

I will have a look at writing a python hook for this that will work with Let’s Encrypt

Andrei

1 Like

I finally had a successful workflow, despite not being able to understand the whole process yet.
I generated the keystore and certificate request files via keytool, then used zerossl to provide me with the certificate.
Then I imported the certificate to the keystore using the originally mentioned tutorial.

Thank you guys and sorry for the trouble!

1 Like

Cool! You may still be happier in the long run if you find some certificate issuance process using a client application directly on your server, whether that’s Certbot or some other client, because you’ll have to renew your certificate by the time it expires and it might be a lot of work to go through this whole process again every couple of months.

Many of the client applications have more automated renewal processes (like Certbot’s certbot renew).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.