So you have created your Letsencrypt certificate using certbot, and now wish to import the generated certificate to your already existing server such as Wildfly or Tomcat that makes use of a Javakeystore, and where you were previously using your self signed certificate that comes along with each tutorial.
How to use letsencrypt certificates with Tomcat or Wildfly
So let’s say that you have the following configuration for SSL under your Wildfly standalone.xml file.
<security-realm name="ApplicationRealm"> <server-identities> <ssl> <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server"/> </ssl> </server-identities> </security-realm>
And your letsencrypt certbot generated files under
Firt we must make our
pcks12 encoded certificates in combined format.
openssl to be installed on the machine where you will perform the format conversion.
openssl pkcs12 -export \ -in /etc/ssl/letsencrypt/domain/certs/fullchain.pem \ -inkey /etc/ssl/letsencrypt/domain/certs/privkey.pem \ -name ALIAS_THAT_KEYSTORE_WILL_HAVE \ -out /etc/ssl/letsencrypt/domain/certs/cert.pkcs12 -passout pass:SOME_PASSWORD_OPTIONAL
This is similar to how haproxy uses certificates and privatekey in combined
.pem format, both must be present in a single file.
So now that we have a valid pkcs12 format combined certificate.
Lets import it into our
application.keystore, or whatever your keystore name is, this is just an example to keep the same values as defined in the above Wildfly standalone.xml configuration.
keytool -importkeystore -alias SAME_AS_DEFINE_IN_STANDALONE.xml \ --srckeystore "/etc/ssl/letsencrypt/domain/certs/cert.pkcs12" \ -keystore PATH_TO\application.keystore \ -srcstoretype PKCS12 \ -destkeystore PATH_TO\application.keystore \ -deststoretype JKS \ -srcstorepass SOME_PASSWORD_OPTIONAL \ -deststorepass SOME_DESTINATION_KEYSTORE_PASS \ -noprompt # -noprompt -> Optional, this is helpful in automation
And that’s it, now just make sure to reload, or if you wish restart your application, and your letsencrypt generated certificate should be presented by Tomcat or Wildfly.