Tomcat reads PKCS12 keystores. The simplest production path is Let’s
Encrypt via certbot, then a one-time conversion:
sudo apt install -y certbot
sudo certbot certonly --standalone -d <your-host>
# certbot writes /etc/letsencrypt/live/<your-host>/{fullchain,privkey}.pem
sudo openssl pkcs12 -export \
-in /etc/letsencrypt/live/<your-host>/fullchain.pem \
-inkey /etc/letsencrypt/live/<your-host>/privkey.pem \
-out /home/ownsona/tomcat/conf/tomcat.p12 \
-name tomcat \
-password pass:<keystore-pw>
sudo chown ownsona:ownsona /home/ownsona/tomcat/conf/tomcat.p12
sudo chmod 600 /home/ownsona/tomcat/conf/tomcat.p12
Use the same <keystore-pw> you put in the
SSLHostConfig block above.
Set up a renewal hook so each renewal regenerates the keystore and restarts Tomcat. Example at /etc/letsencrypt/renewal-hooks/deploy/ownsona-tomcat:
#!/bin/sh
set -e
openssl pkcs12 -export \
-in "$RENEWED_LINEAGE/fullchain.pem" \
-inkey "$RENEWED_LINEAGE/privkey.pem" \
-out /home/ownsona/tomcat/conf/tomcat.p12 \
-name tomcat \
-password pass:<keystore-pw>
chown ownsona:ownsona /home/ownsona/tomcat/conf/tomcat.p12
chmod 600 /home/ownsona/tomcat/conf/tomcat.p12
systemctl restart ownsona.service
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/ownsona-tomcat