Built for Tomcat
The pre-built Java KeyStore template and restart script ship in your CertKit account. No keytool required.
Tomcat loads its TLS certificate from the keystore referenced by the HTTPS connector
in server.xml, read once at startup. When a certificate renews, the
keystore on disk is stale and Tomcat keeps serving the old certificate until someone
rebuilds the keystore and restarts the service.
Every 47 days.
On every Tomcat instance you run.
CertKit centralizes certificate issuance and renewal, then writes the updated Java KeyStore to the path Tomcat already reads and restarts the service automatically via the CertKit Agent.
The pre-built Java KeyStore template and restart script ship in your CertKit account. No keytool required.
The CertKit Agent writes the renewed certificate, private key, and intermediate chain into a Java KeyStore at the path you set, under the alias and password your connector expects, then restarts the Tomcat service so it loads the new certificate.
You point the HTTPS connector at that keystore file once in
server.xml. After that, CertKit overwrites the same file on every
renewal and restarts the service. There is nothing to reconfigure in Tomcat again.
The manual process, if you want to do it yourself:
keytool -genkey tutorials. That path makes a self-signed
certificate every browser warns about. You want one from a trusted CA.
openssl, then keytool -importkeystore it into the
keystore Tomcat reads. The alias and passwords have to match what the connector
expects, and the error messages when they don't are famously unhelpful.
certificateKeystoreFile in the
SSLHostConfig block on Tomcat 8.5 and later, or
keystoreFile on older versions.
Every one of these steps is manual, and Tomcat won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every instance. Miss one and the application behind it starts throwing certificate errors.
At 47 days, automation is the only sustainable way to run Tomcat certificates. Here's how CertKit does it.
Your Tomcat server CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ │ │ │ │ ┌───────────────┐ │ Issue & Renew │◄──►│ │ │ │ CertKit Agent │◄──┤ Certificates │ │ │ │ └─────────┬─┬───┘ │ ┌───┐ └─────────────┘ │ │ │ │ └───────────┬────│DNS│ │ .jks file ◄──┘ │ │ │ └───┘ │ [x] Written │ │ │ │ │ │ │ │ Tomcat ◄───┘ │ ◄───────────────┘ │ [x] Restarted │ Verify └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your Tomcat servers do not run ACME, no open ports, no DNS credentials. They just run the agent.
CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.
Ben Story, Managed Services Director, RedEye Network Solutions
server.xml, set the HTTPS connector's keystore to the file CertKit
writes. This is the only change you make inside Tomcat, and you only make it once.
The usual DIY chain is an ACME client fetching PEM files, an openssl
conversion to PKCS12, a keytool -importkeystore into the live keystore,
and a service restart, wired together with cron. Every link has a failure mode:
keystore and key passwords drifting apart, the alias not matching the connector,
JKS versus PKCS12 confusion between Tomcat versions, and a chain that breaks silently
until the certificate expires. And Java has no native ACME story, so the ACME client
itself needs port 80 open or DNS credentials on the server.
CertKit issues the certificate centrally via delegated DNS validation, then the agent writes the keystore and restarts the service as one verified step, with no ACME client on the server and no keytool to run by hand.
Most environments have more than one place where TLS certificates live: Apache or nginx in front of Tomcat, and other keystore-based servers like CrushFTP. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.