How to use generated certificates with tomcat


I used letsecncrypt mode for generating the certificates .
i successfully got the certificates but i got stuck here ,as now i have to use these certificates with my tomcat . Please tell me the step by step so i can get my https:grinning:

I am getting this error in tomcat
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(
at org.apache.catalina.core.StandardService.initInternal(
at org.apache.catalina.util.LifecycleBase.init(
at org.apache.catalina.core.StandardServer.initInternal(
at org.apache.catalina.util.LifecycleBase.init(
at org.apache.catalina.startup.Catalina.load(
at org.apache.catalina.startup.Catalina.load(
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
at java.lang.reflect.Method.invoke(
at org.apache.catalina.startup.Bootstrap.load(
at org.apache.catalina.startup.Bootstrap.main(
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(
at org.apache.catalina.util.LifecycleBase.init(
… 12 more
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at org.apache.coyote.AbstractProtocol.init(
at org.apache.coyote.http11.AbstractHttp11Protocol.init(
at org.apache.catalina.connector.Connector.initInternal(
… 13 more
Caused by: Cannot store non-PrivateKeys
… 20 more



What client software are you using? Most Windows clients for Let’s Encrypt generate PFX files for you, because that’s what Microsoft’s IIS web server uses. It’s strange that yours doesn’t.

You might try using a client that supports PFX files out of the box, like win-acme. Then all you have to do is configure your <Connector> to point at the PFX file it generates; no openssl command would be required.

EDIT: I missed that you mentioned that you use win-acme in your post. But I don’t see the file that it usually generates. Is your screenshot cut off? If you do have that file just use it with the <Connector> example @_az linked to.

EDIT 2: I hate the hide extensions from known file types feature. :exploding_head: You do have that file, I just couldn’t tell because Windows insists on hiding useful information from you by default.


Win-acme didn’t created that file as you are talking about ''" .So now what i have to do?


It’s this one:


Thanks, i added these certificates to my server.xml but its not working .

Is there any step i am missing before adding these certificates to server.xml ?


I have the same problem :frowning: have you found a solution? thanks


Are these windows systems? Perhaps Windows 10?

Do you run the command as administrator?

Caused by: Cannot store non-PrivateKeys

Start mmc (Admin-Box), add the certificates-addin (manual, so you can choose Machine instead of User), then check Webhosting.

  1. Tomcat requires forward-slashes in paths, even on Windows. Change all your backslashes (\) to forward-slashes (/) in your certificate paths.

  2. You can’t use a pem file with the Http11NioProtocol connector. Switch to protocol="org.apache.coyote.http11.Http11AprProtocol" to keep using PEM files or use the PKCS12 file as explained earlier. For more information on the difference and how to configure it properly, see the tomcat SSL howto.

If you’re still having trouble after fixing both these things, please share the contents of your catalina.out file so we can debug further.


Yes, I am getting the same issue . I looked for the catalina file but that file is also missing . I am stuck here , can you suggest me anything else .So i can complete this .


Sorry, I forgot that Tomcat uses a different naming scheme for its logfiles on Windows. It uses catalina-<DATE>.log (e,g, catalina-2018-07-25.log) or tomcat<VERSION>-stdout-<DATE>.log (e.g. tomcat9.0-stdout-2018-07-25.log) depending on the Tomcat version you’re running.


Yes ,I know about this but unfortunately right now tomcat not generating that file(CATALINA.OUT) thats why i still stuck here .

After generating certificates from letsencrypt , what i need to should i installed them ? or whatelse need to do ?
I got one .pfx file which is protected by password ,from where i can get that password ?
Please do suggest some solid steps .


@Patches Can you please guide me ,with proper steps . After generating the certificates what are the steps i need to follow for use these certificates in tomcat .


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.