So you have created your Letsencrypt certificate using certbot, and now wish to import the generated certificate to your already existing server such as Wildfly or Tomcat that makes use of a Javakeystore, and where you were previously using your self signed certificate that comes along with each tutorial.

How to use letsencrypt certificates with Tomcat or Wildfly

So let’s say that you have the following configuration for SSL under your Wildfly standalone.xml file.

<security-realm name="ApplicationRealm">
            <server-identities>
                <ssl>
                    <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server"/>
                </ssl>
            </server-identities>
</security-realm>

And your letsencrypt certbot generated files under /etc/ssl/letsencrypt

Firt we must make our pem encoded privKey.pem and fullchain.pem into pcks12 encoded certificates in combined format.

This requires openssl to be installed on the machine where you will perform the format conversion.

openssl pkcs12 -export \
    -in /etc/ssl/letsencrypt/domain/certs/fullchain.pem \
    -inkey /etc/ssl/letsencrypt/domain/certs/privkey.pem \
    -name ALIAS_THAT_KEYSTORE_WILL_HAVE \
    -out /etc/ssl/letsencrypt/domain/certs/cert.pkcs12 -passout pass:SOME_PASSWORD_OPTIONAL

This is similar to how haproxy uses certificates and privatekey in combined .pem format, both must be present in a single file.

So now that we have a valid pkcs12 format combined certificate.

Lets import it into our application.keystore, or whatever your keystore name is, this is just an example to keep the same values as defined in the above Wildfly standalone.xml configuration.

keytool -importkeystore -alias SAME_AS_DEFINE_IN_STANDALONE.xml \
    --srckeystore "/etc/ssl/letsencrypt/domain/certs/cert.pkcs12" \
    -keystore PATH_TO\application.keystore \
    -srcstoretype PKCS12 \
    -destkeystore PATH_TO\application.keystore \
    -deststoretype JKS \
    -srcstorepass SOME_PASSWORD_OPTIONAL \
    -deststorepass SOME_DESTINATION_KEYSTORE_PASS \
    -noprompt
# -noprompt -> Optional, this is helpful in automation

And that’s it, now just make sure to reload, or if you wish restart your application, and your letsencrypt generated certificate should be presented by Tomcat or Wildfly.

André Ilhicas dos Santos

Devops Padawan, curious about systems automation, learning new languages, paradigms tools each day.

ilhicas ilhicas


Published