HELP! SSL unsure what to do with .pem files. Tomcat Windows

Jaymer

Win 2016 server.
I used Win-Acme as the agent to request cert from LetsEncrypt

Before, we would make a self-signed CSR - and import that into the keystore.
but now the Agent makes a CSR.
So if I make & import one, then keys don't match on the received .pem

So I'm not sure where the Agent's CSR is - cause it has to go into the keystore, doesn't it.

And some places say Tomcat can refer to .pem directly in the Connector.
And openssl is there to convert .pem files, so I'm confused.

yahya

Hi Jaymer,

When it comes to SSL, in my experience with getting them installed the easiest method is purchasing a certificate. I utilise a multi-domain certificate from sectigo for $239 per year, you can also get a single domain certificate for $79.

I just have found the installation process to be a lot quicker and easier, especially when it comes to renewals.

There are methods for converting the .pem into a .cer and then importing into your java keystore. I just found that route extremely frustrating compared to just purchasing a certificate.

Jaymer

I agree - I didn't have this issue last time when I bought a certificate outright.
I've wasted more time than the savings for this customer.
And then you have to redo this 4 times a year.
thx

joben

yahya wrote
Hi Jaymer,

When it comes to SSL, in my experience with getting them installed the easiest method is purchasing a certificate. I utilise a multi-domain certificate from sectigo for $239 per year, you can also get a single domain certificate for $79.

I just have found the installation process to be a lot quicker and easier, especially when it comes to renewals.

There are methods for converting the .pem into a .cer and then importing into your java keystore. I just found that route extremely frustrating compared to just purchasing a certificate.

+1
They are very easy to handle and they don't have shady renewal practices like GoDaddy for instance.

rocketman

If you want to continue down the free route, I use a product called Keystore Explorer and have an account with sslforfree

It's a bit of a faff but I've got the time down to around 10 mins for an update, Here are the working notes I made for my son just in case the virus gets me.

Creating or managing an SSL keystore is a little trickier for Tomcat because, although this is a Windows machine,
nevertheless, both Tomcat and AwareIM run on a java virtual machine. So the Keystore type needs to be in the JKS format

The problem is that the certificates issued by sslforfree are in the PKCS12 format (the keyfile is PKCS8-) so they will not import directly into a JKS keystore. They have to be converted.

Here's how to do it using Keystore Explorer

1) create a new keystore in the PKSC12 format
2) Import the CA-Bundle certificate (this is the root and intermediate certificates)
3) import the Key pair (PKCS8 key format - Private.key and Certificate.crt
4) CONVERT THE WHOLE LOT (THE KEYSTORE) BACK TO JKS FORMAT
5) Be sure to name it Keystore
6) set the correct path in Tomcat's /conf/server.xml or just put it where the old one was
7) Restart AwareIM

free certificates expire after 90 days. Best practice is to regenerate the store after 60 days to avoid embarrasing "Not Secure" messages in client browsers

Take a backup of the existing keystore before generating a new one - just in case something goes wrong.

You can generate and put in place the new keystore whilst AwareIM is live. When you want to swap simply restart AIM.
Toncat will also do a restart and pick up the new certificates on restart.

If the client browsers report @server took too long to respond - it's probably because you missed step 4