What do you think? Discuss, post comments, or ask questions at the end of this article [More about me]

Skip to end of metadata
Go to start of metadata

Please see Apache reverse-proxy SSL to multiple server applications for an alternative (my preferred) solution to implementing SSL in a way that can work with any server application.

Setup guide when you need to use cert-bot auto and a tomcat java keystore.  Note this assumes are running some flavour of Linux.

These guidelines are adapted from this excellent Vaadin guide here (p.s. I (heart) Vaadin !).

Download and install certbot-auto

Download latest version of certbot-auto:

sudo wget https://dl.eff.org/certbot-auto

Install (note this is optional and you can run from where you downloaded if you want):

sudo cp certbot-auto /usr/bin/certbot-auto
sudo chmod a+x /usr/bin/certbot-auto
sudo certbot-auto

Obtain certbot-auto certificate

sudo certbot-auto --no-bootstrap certonly --standalone --preferred-challenges tls-sni -d <sub.domain.com>

Convert certificate to PKCS12

Change to letsencrypt directory for SSL sub/domain you obtained, e.g.

sudo su
cd /etc/letsencrypt/live/<sub.domain.com>

Note: above is an example from the confluence cert path.

Convert cert-bot auto to pkcs12 format:

sudo openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat -passout pass:<PASSWORD>

Note: replace <PASSWORD> with a secure password string.

Import to .keystore (and create keystore):

sudo keytool -importkeystore -deststorepass <PASSWORD> -destkeypass <PASSWORD> -destkeystore .keystore -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass <PASSWORD> -alias tomcat

Note: replace <PASSWORD> with the secure password string you created in the previous step.

This creates the .keystore files in the current directory. You may need to copy this to another (expected) location.

Usually you may need to copy the .keystore file (for referencing) to the user folder of user who runs apache.  You can find the user by:

ps auxwww | grep tomcat
Then can do '>id 501' if see user id 501.


  1. https://vaadin.com/blog/enabling-https-in-your-java-server-using-a-free-certificate