ezhov-da/ssl-Free certificate

## ssl-Free certificate
https://community.thingworx.com/thread/39949

Полностью рабочий пример:
To install your certificate:


First install and configure Java and Tomcat to the point where you would usually generate a self-signed certificate.


------Start----

$ cd

$ wget https://dl.eff.org/certbot-auto

$ chmod a+x certbot-auto

$ ./certbot-auto

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext

$ cd /etc/letsencrypt/live/example.mydomain.ext/

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.


$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat


$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore


------End---

To renew your certificate:


Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference.  When you run the command to generate the cert, it will offer you an option to renew the existing one.  The rest remains unchanged.  You also must remember to stop Tomcat before the procedure and then of course start it again.  If you do not you will get an error saying that the port is already in use.


Go to where you downloaded the certbot-auto file and enter these commands:


------Start----

$ sudo service tomcat8 stop

$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext    SELECT OPTION 2 (to renew if it has not yet expired)

$ cd /etc/letsencrypt/live/example.mydomain.ext/

Please note: When renewing you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

            ==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.


$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat (CONFIRM OVERWRITE)


$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

$ sudo service tomcat8 start


------End---


Use the same password with which you originally installed or alternatively update your Tomcat server.xml config


If you want to test if your certificate is installed, you can do so from the command line by issuing the following:

$ curl https://example.mydomain.ext/ --tlsv1.2 --verbose
	https://community.thingworx.com/thread/39949

	Полностью рабочий пример:
	To install your certificate:



	First install and configure Java and Tomcat to the point where you would usually generate a self-signed certificate.



	------Start----

	$ cd

	$ wget https://dl.eff.org/certbot-auto

	$ chmod a+x certbot-auto

	$ ./certbot-auto

	$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext

	$ cd /etc/letsencrypt/live/example.mydomain.ext/

	$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

	==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.



	$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat



	$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

	$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

	$ sudo chmod 640 $CATALINA_HOME/conf/.keystore



	------End---

	To renew your certificate:



	Essentially you repeat the process above exactly as you did right in the beginning with only one minor difference. When you run the command to generate the cert, it will offer you an option to renew the existing one. The rest remains unchanged. You also must remember to stop Tomcat before the procedure and then of course start it again. If you do not you will get an error saying that the port is already in use.



	Go to where you downloaded the certbot-auto file and enter these commands:



	------Start----

	$ sudo service tomcat8 stop

	$ ./certbot-auto certonly --standalone -d example.mydomain.ext --email user@example.mydomain.ext SELECT OPTION 2 (to renew if it has not yet expired)

	$ cd /etc/letsencrypt/live/example.mydomain.ext/

	Please note: When renewing you need to use the same password used to generate the initial certificate. Check Tomcat server.xml if you can't remember.

	$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat

	==== you will be asked for a password here, remember it! I will call it "mypassword" for the sake of this explanation.



	$ keytool -importkeystore -deststorepass mypassword -destkeypass mypassword -destkeystore MyDSKeyStore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass mypassword -alias tomcat (CONFIRM OVERWRITE)



	$ sudo cp ./MyDSKeyStore.jks $CATALINA_HOME/conf/.keystore

	$ sudo chown root:tomcat8 $CATALINA_HOME/conf/.keystore

	$ sudo chmod 640 $CATALINA_HOME/conf/.keystore

	$ sudo service tomcat8 start



	------End---



	Use the same password with which you originally installed or alternatively update your Tomcat server.xml config



	If you want to test if your certificate is installed, you can do so from the command line by issuing the following:

	$ curl https://example.mydomain.ext/ --tlsv1.2 --verbose