I agree with @ahaw021, you can’t store a key from just the public cert.
Your command broken down [my best guess]:
sudo [elevate user]
keytool [execute program]
-import [take import action]
-trustcacerts [trust any CA certs found in the imported key file]
-alias tomcat [friendly name for imported key]
-file 0000_chain.pem [file to import]
-keystore /usr/share/tomcat7/.keystore [where to store the imported file]
So the problem is in the:
-file 0000_chain.pem [file to import]
Which expects a complete key file [containing public and private parts + maybe chain]
Hi @rg305 and @ahaw021,thanks for your replies but I don't understand. The links that you shared don't explain where the private key .pem files comes from!
I never installed a secure cert on my Tomcat before. The path /etc/letsencrypt/live doesn’t exist. I’m using JDK 7.
It seems the article I followed is simply wrong. If someone at letsencrypt can explain steps from a to z how to install a cert on Tomcat, i’d be eternally grateful…
The 3rd step that you listed regarding importing the cert. results in this error:
keytool error: java.lang.Exception: Public keys in reply and keystore don’t match
The 2nd ‘certbot’ step produces the 3 original files I listed in my first entry in this thread:
0000_chain.pem
0000_cert.pem
0001_chain.pem
No private key as far as I can see. But I read that the private key is placed in my keystore when I ran the step:
/keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/mytomcat//keystore/my.keystore -keysize 2048
Correct? So perhaps I can extract it from the keystore and use it to generate the PFX file which I then import into my key store?
The private key is NOT there for you because it's in your java key store.
The fact that you are getting a mismatch is one of three possibilities
A) You created the CSR from the wrong store
B) You are importing the certificate in to the wrong store
C You are importing the wrong certificate in to your store
I would suggest reading the article below carefully (it explains all the concepts) and following rather than just using the scripts (as you may not be using the syntax correctly)
I know it's your first time working with Tomcat but understanding the concepts is a better investment of time in my opinion than trying lots of different things and hoping one works