If you want to continue down the free route, I use a product called Keystore Explorer and have an account with sslforfree
It's a bit of a faff but I've got the time down to around 10 mins for an update, Here are the working notes I made for my son just in case the virus gets me.
Creating or managing an SSL keystore is a little trickier for Tomcat because, although this is a Windows machine,
nevertheless, both Tomcat and AwareIM run on a java virtual machine. So the Keystore type needs to be in the JKS format
The problem is that the certificates issued by sslforfree are in the PKCS12 format (the keyfile is PKCS8-) so they will not import directly into a JKS keystore. They have to be converted.
Here's how to do it using Keystore Explorer
1) create a new keystore in the PKSC12 format
2) Import the CA-Bundle certificate (this is the root and intermediate certificates)
3) import the Key pair (PKCS8 key format - Private.key and Certificate.crt
4) CONVERT THE WHOLE LOT (THE KEYSTORE) BACK TO JKS FORMAT
5) Be sure to name it Keystore
6) set the correct path in Tomcat's /conf/server.xml or just put it where the old one was
7) Restart AwareIM
free certificates expire after 90 days. Best practice is to regenerate the store after 60 days to avoid embarrasing "Not Secure" messages in client browsers
Take a backup of the existing keystore before generating a new one - just in case something goes wrong.
You can generate and put in place the new keystore whilst AwareIM is live. When you want to swap simply restart AIM.
Toncat will also do a restart and pick up the new certificates on restart.
If the client browsers report @server took too long to respond - it's probably because you missed step 4