Recording steps that worked for me. the certificate was created using letsencrypt
cert.pem chain.pem fullchain.pem privkey.pem
now, using openSSL converted the certificate to p12 format.
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root
(it will prompt you to input password, please provide, i found it not working while importing to java keystore without password to the p12 file)
keytool -importkeystore -deststorepass CHANGEIT -destkeypass CHANGEIT-destkeystore KeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat
Enter source keystore password:
Not sure if its mandatory but needed to execute the following too.
keytool -import -trustcacerts -alias root -file chain.pem -keystore KeyStore.jks
Let us configure the tomcat server.com (in /etc/tomcat7/server.xml) add this after the http connector (80 port).
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/share/tomcat7/certs/KeyStore.jks" keystorePass="CHANGEIT" keyAlias="tomcat" keyPass="CHANGEIT"/ >
Please make sure you are providing the path and the passwords specific to your application server. the keystore (.jks file) should be in accessible location.
The generated files in the directory with keys are :
cert.pem chain.pem fullchain.pem privkey.pem
now, using openSSL converted the certificate to p12 format.
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root
(it will prompt you to input password, please provide, i found it not working while importing to java keystore without password to the p12 file)
Import to java keystore
Let us import it into a keystore file (KeyStore.jks), please make sure you provide the same password chosen in the previous step. Also it will prompt for keystore password, please provide one.keytool -importkeystore -deststorepass CHANGEIT
Enter source keystore password:
Not sure if its mandatory but needed to execute the following too.
keytool -import -trustcacerts -alias root -file chain.pem -keystore KeyStore.jks
Tomcat configuration
NowLet us configure the tomcat server.com (in /etc/tomcat7/server.xml) add this after the http connector (80 port).
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/usr/share/tomcat7/certs/KeyStore.jks" keystorePass="CHANGEIT" keyAlias="tomcat" keyPass="CHANGEIT"/ >
Please make sure you are providing the path and the passwords specific to your application server. the keystore (.jks file) should be in accessible location.
