Help install certifiction on wndows server 2012

Hello ,
this is the first time I used ssl certification (so maybe I'm missing some things)

I have a tomcat server running on my windwos server2012
have done everything it said here
https://certbot.eff.org/lets-encrypt/windows-apache

it created my 4 files:

cert.pem
chain.pen
fullchain.pem
privkey.pem
ReadME

how do I install in on my server and make the Tomcat use it ?

I have found this explain:
https://www.thesslstore.com/knowledgebase/ssl-install/tomcat-ssl-installation/
but how do I run this on windows ?
found a website that convert pem to p7b files
so now I have also cert1.p7b


I have found this

manage to create a p12 file
but how do I use java's keytool on windows?

Thanks ,

Hi @David1231

Tomcat is an own world, nobody knows the details.

But there should be a Tomcat documentation how to do that on Windows.

ok
after searching found how to do it , and now it's seem to be working

last question
when I check my server on
SSL Checker

I got this:

The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

The certificate was issued by Let's Encrypt.

The certificate will expire in 89 days. Remind me

can I make it non-expire?
or renew every 89 days?

Thanks,

Please read some required basics:

Letsencrypt certificates are always 90 days valid.

Certbot has an autorenew feature via the command certbot renew. On Unix, this is run automatically from the cron or systemd periodic command schedulers, but I'm not really sure what happens on Windows! Maybe this is described in the Certbot documentation, though.

In terms of your Tomcat integration and renewals, the Certbot automated renewal will give you updated versions of the PEM files, not an updated version of the p7b file. However, if you can do the p7b conversion via commands on your own machine, instead of on somebody else's web site (probably using OpenSSL), you could make a deploy hook script which you can ask Certbot to run whenever the certificate is renewed (in order to "deploy" the new certificate). This could include the commands that need to be run to update the p7b file based on the contents of the newly-updated PEM files.

The deploy hook feature is described at

I'm sure you'll notice that Certbot's history and documentation are pretty Unix-oriented, since Certbot was written for Unix and only ported to Windows last year. If you find Unixisms in the documentation that just don't make sense on Windows, please bring them up here or on the Certbot GitHub page so that the documentation can be improved!

Some people using Tomcat have also had a better experience using a different application as a reverse proxy to terminate TLS connections, and then forward them to the Tomcat instance on localhost. For example, you could use nginx or Caddy for this purpose (among other options). In that case you can use the more complete and integrated tools for getting a Let's Encrypt certificate in those applications, and then just use them, not to serve any content, but instead to forward all incoming connections to Tomcat running on some port on localhost on your machine.

thank you all
I will read the docs you post and see
if i will have any problems I will post

Thanks!

I'm starting to find myself promoting my own app Certify The Web (https://certifytheweb.com) maybe a little too much but it does provide a dedicated Tomcat deployment task which will create the file for you.

It depends which version of tomcat you are running though (we support v9 +/versions that support pkcs12): https://docs.certifytheweb.com/docs/deployment/tasks/tomcat

1 Like

This link will work better with "the" rather than "teh" :slight_smile:

Ha, yeah you'd think I'd be getting that right by now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.