zhouhoo · July 8, 2017 02:44
diff --git a/tomcat https by using letsencrypt CA b/tomcat https by using letsencrypt CA
 1. go to letsencrypt homepage to download and use some client tool like certbot to auto manage CA from letsencrypt.
 2. get and renew CA:  

    2.1  certbot certonly --webroot -w /var/www/example -d example.com
    2.2  certbot renew --dry-run
 if you have already configure before,you need to delete entry in jks:(eg $keystoredir=MyDSKeyStore.jks)

 keytool -delete -alias root -storepass changeit -keystore $keystoredir
 keytool -delete -alias tomcat -storepass changeit -keystore $keystoredir

 3. pre configure for tomcat: (asume the  $certdir, default in /etc/letsencrypt/live/yourdomain/,  <changeit> is the password , you can change to yours )

 3.1 openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name tomcat -CAfile $certdir/chain.pem -caname root -password pass:aaa

 3.2 keytool -importkeystore -srcstorepass aaa -deststorepass changeit -destkeypass changeit -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
 3.3 keytool -import -trustcacerts -alias root -deststorepass changeit -file $certdir/chain.pem -noprompt -keystore $keystoredir

  
 4. config tomcat ,open server.xml and add something like those:
 
       <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
          maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
          clientAuth="false" sslProtocol="TLS"
          keystoreFile="/path/to/MyDSKeyStore.jks" keystorePass="<changeit>"
          keyAlias="tomcat" keyPass="<changeit>"
        />
        
        
  from above ,you can make your server work on https for free, thanks for letsencrypt.
	1. go to letsencrypt homepage to download and use some client tool like certbot to auto manage CA from letsencrypt.
	2. get and renew CA:

	2.1 certbot certonly --webroot -w /var/www/example -d example.com
	2.2 certbot renew --dry-run
	if you have already configure before,you need to delete entry in jks:(eg $keystoredir=MyDSKeyStore.jks)

	keytool -delete -alias root -storepass changeit -keystore $keystoredir
	keytool -delete -alias tomcat -storepass changeit -keystore $keystoredir

	3. pre configure for tomcat: (asume the $certdir, default in /etc/letsencrypt/live/yourdomain/, <changeit> is the password , you can change to yours )

	3.1 openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name tomcat -CAfile $certdir/chain.pem -caname root -password pass:aaa

	3.2 keytool -importkeystore -srcstorepass aaa -deststorepass changeit -destkeypass changeit -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
	3.3 keytool -import -trustcacerts -alias root -deststorepass changeit -file $certdir/chain.pem -noprompt -keystore $keystoredir


	4. config tomcat ,open server.xml and add something like those:

	<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
	maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
	clientAuth="false" sslProtocol="TLS"
	keystoreFile="/path/to/MyDSKeyStore.jks" keystorePass="<changeit>"
	keyAlias="tomcat" keyPass="<changeit>"
	/>


	from above ,you can make your server work on https for free, thanks for letsencrypt.