Generate jks file when mysite.com_fullchain_and_key.p12 is missing

Dear all, please help me!

I have renewed a certificate for our web site. During the past, it worked fine for a couple of times. But now I have get lost and I have a major issue. This is the way I renew the certificate:

# certbot renew

# openssl pkcs12 -export -out /tmp/my-website.com_fullchain_and_key.p12 -in /etc/letsencrypt/live/ -inkey /etc/letsencrypt/live/ -name tomcat

# mv /usr/share/CM_Server/conf/ /usr/share/CM_Server/conf/my-website.com_`date +'%Y_%m_%d'`.jks

# keytool -importkeystore -deststorepass <store-password> -destkeypass <store-password> -destkeystore /usr/share/CM_Server/conf/ -srckeystore /tmp/my-website.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <store-password> -alias tomcat

In the last step the keytool generates a jks file from the source /tmp/my-website.com_fullchain_and_key.p12. Unfortunately, this time i can not find the my-site_fullchain_and_key.p12 file in the /tmp folder. At the end of the day, I've ended with a fresh set of cert.pem, chain.pem, fullchain.pem and privkey.pem files, but I am not able to generate the jks, as the my-website.com_fullchain_and_key.p12 is missing.

Can anyone help me, how to generate the jks file in this case, please?

Thank you so much!

Have a look under /etc/letsencrypt/live/ to see if your website is listed and if it is look under that directory for the related certificate files.


Hi webprofusion,

yes, my website is listed in /etc/letsencrypt and in the live directory I have cert.pem, chain.pem, fullchain.pem and privkey.pem files.

Maybe I was not clear enough, sorry, my question is:

How will I generate a file? Untill now, I have generated it through:

# keytool -importkeystore -deststorepass <store-password> -destkeypass <store-password> -destkeystore /usr/share/CM_Server/conf/ -srckeystore /tmp/my-website.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass <store-password> -alias tomcat

But now in the temp folder I have no "my-website.com_fullchain_and_key.p12" file. How can I generate the jks from existing files, please? I am really lost in those certificates. :frowning:

Stepping back a little, what service (what software etc) are you trying to get a certificate for?

You already have your certificate so your problem is converting it into a java key store.

Personally I'd assume you need to create a new Keystore file using keytool, then import your certificate and private key files into that.


I need the file for a webapp of our company. The webserver is apache tomcat and the app uses a CM Server with java. I am really lost a bit now. I have never worked with Keystore files, this is what I have got from my predeccesor.

The openssl command created that file. Did any errors occur while running that command?


It gave me no error. This was my second attempt, first time I have renewed the certificate on April 28. Everything seemed to work fine but yesterday I have realised that the site has still the old certificate and since it is more than 10 days, the old my-site_fullchain_and_key.p12 file in the /tmp folder was allready gone.

Yesterday it was my second attempt and the renewal returned me this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Renewing an existing certificate for

Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/ (success)

Then I have made an another task and the certbot renew has said that the fullchain.pem certificate is not due for renewal yet, it expires on August 29.

Why is this missing if your openssl command worked?

Also, what is your real domain name

and, what does this show

certbot certificates

The certbot certificates gave me this:

Found the following certs:
  Certificate Name:
    Serial Number: <some large number>
    Key Type: RSA
    Expiry Date: 2023-08-29 17:47:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

Sorry, my real domain name is

Thanks. Your cert looks recent. So, go one step at a time with your commands and check each one.

After the openssl it should create the .p12 file in your /tmp/ folder (the -out file name in that command).

If that looks good run and check the next command and so on.


Thanks, I will do. But I have to do it later, because I have to shut down the server, and I am not allowed to do it earlier than in a couple of hours. Thanks a lot, I hope it will help.

1 Like

You are the man, MikeMcQ!

Thank you a lot! It worked after I have continued with openssl command, everything works like a charm now!

Thank you both guys for helping me to solve this!



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.