Let's Encrypt certificate into Java JKS
If you have Java applications you need to convert Linux PEM files created by Let's Encrypt clients into JKS. It's just a few steps, if you know which ones.
Because I was doing it only a few times a year I always forgot. If you have the same problem, here's a short step-by-step. It should work for any applications run by a recent Java version (Java 6, Java 7, Java 8, Java 11).
What you need: cerbot (or other Let's Encrypt client), openssl, keytool (a part of Java distributions).
STEP 0: I sometimes have to find the path for certbot if it doesn’t get set for the “root” user (assuming certbot is installed):
which certbot sudo su # or switch to whatever user you intend to use export PATH=<certbotpath>:$PATH
STEP 1: assuming you’re root (or other account with necessary privileges):
Note: you can use any other Let's Encrypt client, the only difference is possibly a different location of keys&certificates.
STEP 2: if the renewal was successful, we can move on to the “tricky part”. Change the working directory to a folder with the new certificate:
cd /etc/letsencrypt/live/<domain name>
STEP 3: create a PKCS12/PFX file containing the new private key and certificates (intermediary password is “password”):
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out server.p12 -name tomcat
Note: you will be asked for a password, you have to use the same in the following step - replacing password.
Note: initially, we tried “-in cert.pem -CAfile chain.pem ….”, which doesn’t include the chain to the P12 file, so Keep It Simple Stupid (KISS). :)
STEP 4: convert the PKCS12 file into a JKS Java keystore. There are three variables in the following command: "password" - which you used in STEP3, "/tmp/le_keystore.jks" - the location and name of the JKS file, and "alias" - a key name in the JKS file. You need to make sure that your Java configuration file matches your values!
keytool -importkeystore -deststorepass password -destkeypass password -destkeystore /tmp/le_keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass password -alias tomcat
STEP 5: We used it for a Tomcat app, which required a restart to pick-up the new SSL certificate.
STEP 6: clean up - delete the temporary P12 file and possibly JKS so you don't keep unnecessary copies of the private key.
A note of caution - it may be the case that configuration files are wrapped in a jar file. (Just in case you can’t find any and have been banging your head against your deck for the last 2 days :)