As per documentation, tomcat9 supports JKS, PKCS11 or PKCS12 format key stores.

In our case, we have certificates in .crt format which needs to be converted to either of these formats.

To convert .crt to .pfx (PKCS12), use the openssl command

openssl pkcs12 -export -out cert.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt -name karthi_au

When you execute the command you will be prompted to enter the export password (which will then be used in the tomcat config file) once done, the .pfx file is ready.

Now, time to change the tomcat9 configuration file (server.xml)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
    maxThreads="150" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/ssl/karthi_au/cert.pfx"
    keystorePass="changeit">
</Connector>

Specify the certificate file path and the password provided earlier during .pfx generation.

Once done, save & restart Tomcat 9 service.

Test by accessing the application over SSL port 8443

Using JKS keystore instead of PKCS12

To use JKS Keystore first, we need to create the Keystore and then import the certificates to the Keystore.

Use the keytool command to import the existing pfx certificate to jks format.

keytool -importkeystore -srckeystore cert.pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks -alias karthi_au

Now, to make a change to the tomcat config file to use the .jks keystore file

Restart tomcat 9 and verify