Install a Certificate for my webapplication runing on tomcat

My web server is Apache Tomcat/8.0.28 on windows server 2012 r2.

I can login to a root shell on my machine.

I need help to create a certificat for my host
Im not using iis . I’m using tomcat to deploy my webapp
I download the client letsencrypt-win-simple.v1.9.8.4

I create a JKS - letsencrypt.jks with a RSA 2048 key a CSR for it with keytool .
I don’t know how to use letsencrypt-win-simple to get certificates. and how to aply this to my tomcat server.

my webapp can be access from hostname:8080\mywebapp

is there any tutos that can help me ?

Hi,

Please go to GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.) for instructions on how to use LE Windows Simple software.

After that, a lot of people have discussed Tomcat (and JKS imports) on this forum:

https://community.letsencrypt.org/search?q=tomcat

(I don’t remember if one of those threads offers the best or most complete advice, though.)

Think you for the anser I flow the instructions on the url.

here the commande I used and the resiults :

C:\Users\Administrateur>letsencrypt.exe --plugin manual --manualhost myhost.ddns.ne
t --webroot “C:\Program Files\Tomcat\webapps”

[INFO] Let’s Encrypt Windows Simple (LEWS)
[INFO] Software version 198.4.6605.15190 (RELEASE)
[INFO] IIS version 8.5
[INFO] ACME Server https://acme-v01.api.letsencrypt.org/
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-simple

[INFO] Running in Unattended mode
[INFO] Plugin Manual generated target [Manual] [1 binding - myhost.ddns.net]
[INFO] Authorize identifier: myhost.ddns.net
[INFO] Cached authorization result: valid
[INFO] Requesting certificate myhost.ddns.net 2018/2/6 11:26:55 PM
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.
letsencrypt.org
[INFO] Installing certificate in the certificate store
[INFO] Adding certificate targettec.ddns.net 2018/2/6 11:26:55 PM to store WebHosting

[INFO] Uninstalling certificate from the certificate store
[INFO] Removing certificate targettec.ddns.net 2018/2/6 6:06:05 PM from store WebHost
ing
[INFO] Adding renewal for myhost.ddns.net
[INFO] Next renewal scheduled at 2018/4/2 11:26:59 PM

C:\Users\Administrateur>

I got a certificate 13 files !

ca-myhost.ddns.net-crt.der
ca-myhost.ddns.net-crt.pem
Registration
Signer
myhost.ddns.net.history.json
myhost.ddns.net-all.pfx
myhost.ddns.net-chain.pem
myhost.ddns.net-crt.der
myhost.ddns.net-crt.pem
myhost.ddns.net-csr.pem
myhost.ddns.net-gen-csr.json
myhost.ddns.net-gen-key.json
myhost.ddns.net-key.pem
know I need to configure it with my tomcate !

Any help Please

Two Detailed guide on how to Install Certificate with IIS8

https://www.godaddy.com/help/iis-8-install-a-certificate-4951
https://www.digicert.com/csr-ssl-installation/iis-8-and-8.5.htm

Here’s the instruction from TOMCAT:
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html

Good luck

tks stevenzhu,

i wrote the Apache Tomcat documentation .
they say I have have to create a CSR that will be used by the Certificate Authority to create a Certificate.
I did creat a simple-cert-myhost-ddns-net.csr but I didn’t submit it when I generate the LE certificate !!!
i’m a litle confiused !

its ok I fix it :slight_smile: ! here the steps :
first I installed KeyStore Explorer
I creat a Store myhoststore.jks
I import the pair keys from myhost.ddns.net-chain.pem and myhost.ddns.net-key.pem And import the two certificate ca-myhost.ddns.net-crt.der and myhost.ddns.net-crt.der

in tomcat I edit the server.xml

 Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
	       keystoreFile="C:\Program Files\myhoststore.jks" 
	       keystorePass="xxxxxxxxxxx" keyAlias="myhostletsecript"

and I have a nice red cadnat in the browser :wink:

now I would like to know how to deal with renew ! is there any way I can automatise it ?

I have not used this software but reportedly so:

However you will also have to repeat the JKS import process from the PEM files after each renewal in order for Tomcat to be able to use the new certificate. Therefore you would probably want to make a batch or PowerShell script that does both tasks.

Most Java programs including Tomcat accept PFX files in addition to JKS files. This way you can use the PFX generated by letsencrypt-win-simple without needing a intermediary script.

<Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
	           keystoreFile="C:\path\to\file.pfx" 
               keystorePass=""
	           keystoreType="PKCS12">

By default, letsencrypt-win-simple doesn’t set a password for the PFX file, so I left it blank in the example. If you set a PfxPassword in letsencrypt-win-simple’s config file you would enter it as it the keystorePass here, though.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.