KeyChest Blog

Let's Encrypt certificate into Java JKS

Feb 19, 2020 3:44:59 PM / by Dan

If you have Java applications you need to convert Linux PEM files created by Let's Encrypt clients into JKS. It's just a few steps, if you know which ones.


Because I was doing it only a few times a year I always forgot. If you have the same problem, here's a short step-by-step. It should work for any applications run by a recent Java version (Java 6, Java 7, Java 8, Java 11).

What you need: cerbot (or other Let's Encrypt client), openssl, keytool (a part of Java distributions).

STEP 0: I sometimes have to find the path for certbot if it doesn’t get set for the “root” user (assuming certbot is installed):

which certbot
sudo su # or switch to whatever user you intend to use
export PATH=<certbotpath>:$PATH

STEP 1: assuming you’re root (or other account with necessary privileges):

certbot renew

Note: you can use any other Let's Encrypt client, the only difference is possibly a different location of keys&certificates.

STEP 2: if the renewal was successful, we can move on to the “tricky part”. Change the working directory to a folder with the new certificate:

cd /etc/letsencrypt/live/<domain name>

STEP 3: create a PKCS12/PFX file containing the new private key and certificates (intermediary password is “password”):

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out server.p12 -name tomcat

Note: you will be asked for a password, you have to use the same in the following step - replacing password.

Note: initially, we tried “-in cert.pem -CAfile chain.pem ….”, which doesn’t include the chain to the P12 file, so Keep It Simple Stupid (KISS). :)

STEP 4: convert the PKCS12 file into a JKS Java keystore. There are three variables in the following command: "password" - which you used in STEP3, "/tmp/le_keystore.jks" - the location and name of the JKS file, and "alias" - a key name in the JKS file. You need to make sure that your Java configuration file matches your values!

keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /tmp/le_keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password -alias tomcat

STEP 5: We used it for a Tomcat app, which required a restart to pick-up the new SSL certificate.

STEP 6: clean up - delete the temporary P12 file and possibly JKS so you don't keep unnecessary copies of the private key.

A note of caution - it may be the case that configuration files are wrapped in a jar file. (Just in case you can’t find any and have been banging your head against your deck for the last 2 days :)

Certificate expiration causes costly downtimes and complete breakdowns of encryption. Our expert service automatically checks and renews your certificates, on time, and correctly, so you can start every day with confidence.

Tags: letsencrypt


Written by Dan